If you’re not among the organisations panicking over the EU General Data Protection Regulation (GDPR), consider yourself either lucky or well prepared. We’re not necessarily referring to sending teams of data protection experts scrambling between departments to check that processes are compliant. That, we expect, is pretty much par for the course – in fact, if all you are doing is checking, you are leaps and bounds ahead of most.
The more common scenario is that organisations have started to address the GDPR late and are trying to fulfil as many requirements as possible by 25 May 2018. But without the necessary time to prepare for compliance, can you be sure that your efforts will be effective? Who in your organisation is overseeing the process and determining what needs to be done? Some have assumed that this is the role of the data protection officer (DPO), a position that the GDPR expressly requires most organisations to fill.
However, the DPO shouldn’t be making decisions, and they are not responsible for ensuring compliance. Rather, they are an internal watchdog who raises concerns when data protection laws such as the GDPR aren’t being followed. They can provide advice about how to meet the Regulation’s requirements, but it’s not their duty to implement compliance measures.
Then who is responsible for compliance? The board of directors are ultimately accountable, but they would typically delegate certain responsibilities. If their top concern was potential lawsuits, they would probably give the biggest responsibility to their legal department. Or they might be most concerned about how they would be able to continue contacting customers, in which case they’d give their marketing department more freedom.
No single person should be overseeing the compliance process completely, but it’s important that those tasked with different requirements work together. This ensures that the Regulation is tackled efficiently, and that everyone is aware of what is being done and what needs to be done.
Last-minute compliance measures
With compliance responsibility sorted, it’s time for your organisation to dive into the final few days of preparation before the GDPR takes effect. Granted, it’s not as though you have to stop preparing on 25 May 2018, but you’ll want to be able to demonstrate to supervisory authorities that you are committed to compliance.
Here are four last-minute tasks you should complete as soon as possible:
- Assess the lawfulness of processing. There are six lawful grounds for processing personal data, and you must ascertain, justify and document which ground is relevant to each processing activity. Most organisations have previously relied on consent, but the GDPR acknowledges the problems with consent and therefore discourages its use by making the terms for lawful consent harder.
- Have processes for subject access rights. Your primary concern should be subject access requests, which enable individuals to receive a copy of any personal data that an organisation holds on them. After receiving this information, individuals might exercise other rights, such as the right to erasure or the right to restrict processing. You must comply with these requests within one month.
- Create a breach and incident register. Not all personal data breaches need to be reported to your supervisory authority, only ones that pose a high risk to data subjects’ rights and freedoms. This increases your need for vigilance when reviewing data breaches. You should be capable of quickly assessing the scope of a breach and determining whether it needs to be reported.
The biggest challenge you’ll face when meeting these requirements is documenting your compliance, because it will take a lot of time. With less than two weeks until the GDPR takes effect, time is not something you have a lot of. However, you can speed up the process significantly by using sample documentation, such as can be found in our EU General Data Protection Regulation (GDPR) Documentation Toolkit.
This toolkit contains easy-to-use templates, customisable worksheets, policies and expert guidance. It will help you:
- Identify risks to personal data and put in place the necessary controls to resolve those issues;
- Embed the documentation in your organisation quickly and easily; and
- Integrate GDPR documentation alongside your ISO 27001 documentation.