Six steps towards GDPR compliance

Published by Joyce de Jong on

Setting up a privacy program from scratch, whether it’s GDPR or CCPA, or both (!) can feel a little overwhelming.Where to start? Which are my biggest risks? How will this impact my business? And when are we compliant enough?

Some of the things we have learned from helping dozens of organizations with their privacy compliance is that you cannot go from 0 to 100% compliance in one go and that compliance is a continuous process anyway. The GDPR specifically has many requirements, principles and conditions, which we have tried to break down in six bite-sized pieces. If you want to make a steady improvement in privacy protection, or GDPR compliance, these are the trends you want to look out for in your organisation:

arrow1
1. The first step concerns personal data collection. The GDPR wants you to collect as little personal data as possible, we call this data minimization. Take measures such as only collecting the data you need for your (clearly defined) purposes and storing data no longer than neccesary.
arrow4
2. The next step is increasing your security. The GDPR requires adequate security for protection personal data. Now you might feel your security is plenty adequate, but have you considered both technical and organisation security measures? And are you keeping up with developments in cyber crime? It is rare to find an organization that cannot benefit from an increase in security or an update of employee awareness of this topic.
arrow2
3. Hopefully more security will lead to fewer data breaches. But do your co-workers know how to detect, report and prevent accidental data breaches?
arrow5
4. The burden of proof for GDPR compliance lies with the organization that is the data controller. Each organization has to be accountable for how they handle personal data and needs to be able to prove they have the right legal grounds for using the data.
arrow3
5. Not all data stays within your organization. Are you aware who your processors are and how they handle data on your behalf? Or maybe selling or sharing data is part of your business. In this case you need to make sure you meet the strict requirements of the GDPR and CCPA.
arrow6
6. Transparency is key in assuring data subjects can enact their privacy rights. Transparency has both an active and a passive component. You need to let people know how you handle their data in a privacy statement and upon request, you need to give a person insight into their own personal data.
Categories: Uncategorised

Joyce de Jong

Joyce de Jong is a privacy lawyer from the Netherlands and Director of GDPR Consultancy at Audittrail Group. She specialises in the GDPR (obviously) and advises companies about the differences between US and EU privacy law.

Related Posts

Do not sell my personal data

Consumers in California are quickly getting familiar with this phrase: do not sell my personal information. It is one of the more noticeable effects of the CCPA; the right of consumers to opt-out of companies Read more…

Privacy, urgent or important?

Recently I learned about the Eisenhower Matrix. Based on a quote by President Eisenhower, “I have two kinds of problems, the urgent and the important. The urgent are not important and the important are never Read more…

Cyber, InfoSec, Privacy, what’s the deal?

Audittrail is housed in the iCybercenter at bwtech@UMBC, yet we are anything but techies. How do privacy lawyers end up in a cyber environment? And what exactly is Information Security, or InfoSec? Well, the fields Read more…