Step 1: Awareness of GDPR requirements
Organizations should ensure that the appropriate people are aware of the new changes brought about by the GDPR. These individuals need to assess how the GDPR will impact its current processes, services and products, as well as what needs to change in order to comply with the GDPR.
Step 2: Know the Rights of Data Subjects
The rights of data subjects have been expanded under the GDPR. Therefore, organizations need to ensure that processes are in place that enable individuals to exercise those rights. These processes should have been tested and be subject to continuous oversight to ensure they remain affective.
Data subjects will have the ability to file complaints with DPAs about how their personal data is handled, and how their rights are respected. DPAs will consider every complaint. Subject Rights Management is a core component of the GDPR.
Step 3: Records of Processing Activities
The GDPR requires organizations to keep up-to-date records of their processing activities, including information about the personal data processed, the purpose for processing it, where it originated, and who it is shared with. Organizations need to be able to demonstrate their compliance by sharing these records with DPAs, upon request.
Step 4: Data Protection Impact Assessment (DPIA)
Under the GDPR, organizations must conduct data protection impact assessments (DPIAs) when a processing activity is likely to result in high risk to the rights and freedoms of individuals. However, it is recommended that DPIAs be performed for all processing activities, regardless of risk level.
If identified risks cannot be mitigated successfully, the organization must consult with the DPA prior to commencing the processing activity.
Step 5: Privacy by Design and Data Protection by Default
Organizations need to be aware of the GDPR’s requirements for privacy by design and data protection by default, and begin integrating these principles within their organization.
Privacy needs to be embedded throughout the process of designing products and services. Technical and organizational measures must be in place to ensure the integrity and confidentiality of personal data, and to ensure that personal data is processed only when necessary to achieve a specific purpose.
Step 6: Data Protection Officer (DPO)
Some organizations may be required to appoint a DPO. Organizations need to assess whether this requirement applies to them, and if it does, appoint a DPO as soon as possible to be ready for the GDPR. Regardless, many organizations may want to appoint a DPO as a best practice, even if the requirement does not apply.
Step 7: Data Breach Notification
The GDPR has stricter requirements around recording information about data breaches that occur. Some data breaches will need to be reported to the regulatory authrories withing 72 hours of detection.
All data breaches must be documented internally, regardless of whether it must be reported. The documentation must be ready to be shared with a DPA, upon request.
Step 8: Processor Agreements
Organizations need to re-examine their agreements with data processors to ensure that they meet the requirements with the GDPR. New agreements should be drafted with the GDPR’s requirements in mind.
Step 9: Lead Supervisory Authority
Organizations with establishments in, or that conduct processing activities in, multiple EU Member States, may be subject to regulation by multiple supervisory authorities. However, organizations need to identify their lead supervisory authority with whom they will work with.
Step 10: Consent
Requirements for obtaining valid consent from individuals are stricter under the GDPR. Organizations that rely on consent as the legal basis for a processing activity need to ensure that the consent meets the requirements under the GDPR. This includes how the consent is requested, obtained, recorded, tracked, and amended.
Organizations need to be able demonstrate that consent meets the GDPR’s requirements, and ensure that individuals have a way to easily withdraw their consent at any time.