13 steps to a GDPR compliant organisation
The first step towards a GDPR compliant organisation is awareness. While the vast majority of companies are aware of the GDPR, not every organisation changes its practices even adequately to stay in line with the data protection legislation. Ignorance of the preparations to be made often seems to be a recurring problem.
This awareness needs to happen at all levels of your organisation. The integration must be supported top-down. Only then can full compliance be achieved. To achieve this, the necessary key figures and management within your organisation need to be involved in order to implement the necessary changes. When everyone is aware of the importance of complying with the GDPR, it will be easier to comply with these rules.
2. Keep calm and be prepared
To ensure that your organisation can operate GDPR compliant, it is important that you inform yourself sufficiently. After all, non-compliance with the GDPR is punishable by substantial fines of up to 4% of your global turnover, with a maximum of 20 million euros.
All the more reason to be well informed in advance about the wonderful world of the GDPR.
If you wish, you can make an appointment with us for an introductory meeting. During this meeting we will explain more about the GDPR, look at the needs of your organisation and see how we can assist your organisation concretely.
It is impossible to determine at first sight whether your organisation complies with the GDPR. Therefore, you need to audit your organisation. This audit needs to be carried out in various areas. Both legally and technically there are several pitfalls.
4. Impact assessment
It is important to consider the impact of any data processing by your organisation on all data subjects. In some cases, a Data Protection Impact Assessment (DPIA) will be mandatory. But even when your organization is not obliged to perform a DPIA, it can still be interesting to do so.
After all, a DPIA gives you more insight into the concrete impact of the processing that your organisation wishes to carry out. By carrying out such an assessment, it will be easier for you to estimate all the consequences of the processing. This way you can take better measures to protect your organisation against possible threats.
The better you are informed about all consequences of the planned processing, the more easily you’ll be able to comply with the GDPR. That is why it is always interesting to carry out a DPIA.
Menselijke tussenkomst blijkt één van de grote zwaktes te zijn in de beveiliging van gegevensverwerking. Daarom dient u voor uw medewerkers voldoende opleiding te voorzien.
Veel mensen beseffen niet altijd de gevoeligheid van persoonsgegevens waarmee ze bij het uitoefenen van
hun taken mee in contact komen. Hierdoor is de kans groter dat er eventuele datalekken plaatsvinden.
Om te vermijden dat uw medewerkers onbewust onzorgvuldig omgaan met persoonsgegevens, is het belangrijk dat u er voor zorgt dat ze voldoende gesensibiliseerd worden. Enkel door uw medewerkers voldoende opleidingen aan te bieden, kan u ervoor zorgen dat de kans op datalekken door menselijke fouten van uw medewerkers, verkleind wordt.
6. Take measures
In order to limit the risks of certain data processing, your organisation should take technical and organisational measures.
After your organisation has carried out a DPIA, you will know what risks are associated with the data processing in question. The logical consequence of this knowledge is to take technical and organisational measures.
The technical measures have to do with your IT systems. For example, you may be forced to renew the IT systems your organisation uses if it turns out that they are too weak in terms of data protection.
Furthermore the encryption of data is not mandatory under the GDPR, but merely recommended. It is more about being thoughtful as a company about how you handle data. Pseudonymisation of data can be a good option to keep in mind though. It means that personal data can no longer be directly linked to a natural person, but only with the help of additional information that is stored somewhere separately. In the event of any data leaks, you can thus demonstrate that you have made an effort to secure the personal data processed.
You will also need to take organisational measures. These measures will mostly concern physical access to the processed personal data. It must be technically and physically impossible for unauthorised persons to gain access to the personal data your organisation processes.
The personal data processed within your organisation must be managed correctly.
After you have carried out an audit within your organisation to map out which data is being processed and where this data is located, you can set to work on managing this data
Think of the best way to manage the data that your organisation processes. Consider, for example, the digitisation of your paper files. After all, correct data management reduces the risk of data leaks.
Transparency is one of the most important principles of the GDPR. Therefore, you should always communicate clearly and intelligibly with all stakeholders.
Transparent communication is essential from the moment your organisation starts collecting personal data. You should clearly communicate to the data subjects which data you will be processing, why you will be doing this and what will happen with these data. The best way to do this is through a ‘Privacy Statement’ that you publish on your website.
In addition, transparency also means that you clearly communicate to the data subjects where they can go with any questions and/or complaints.
9. Contract management
It is important to examine the
contracts that your organisation has with various service providers and suppliers. After all, in many cases, these also involve the processing of personal data.
A review is essential to see what personal data you exchange with contract partners. Where appropriate, you should also review these contracts to be compliant with the GDPR.
Even if you do not exchange data with certain contract partners, it may be advisable to review these contracts. After all, your contract partners, or their employees, may in some cases have access to data. Think for example of a cleaning service that has access to your paper archives. It may be interesting for these contracts as well to include clauses relating to the confidentiality of this data.
10.Overweeg een verzekering
You can take all sorts of measures to prevent data leaks, but this does not mean that there is no chance a data leak occurs. It may therefore be worthwhile to take insurance to cover such an eventuality.
In most cases, insurance for data leaks is called cyber insurance. It can cover the damage resulting from a breach
of your cyber security.
This insurance will be interesting in many cases. Hackers are increasingly targeting smaller organisations, as these often do not have the budgets to pay for the best cyber security systems. As a result, in addition to the possible loss of data, your organisation also runs the risk of all kinds of other financial consequences. Cyber insurance reduces the financial burden on your organisation.
It is important to regularly review and audit your organisation. The fact that your organisation is GDPRcompliant today does not mean that you will automatically process GDPR-proof personal data in the years to come.
The exchange of personal data between public and private actors, including natural persons, associations and companies, has increased throughout the Union and will only increase in the future. Rapid technological developments and globalisation constantly create new challenges for the protection of personal data. Just as society evolves, your organisation is also constantly changing and new contracts are concluded or new employees arrive, etc…
Therefore, it is important that you regularly reflect on the GDPR compliance of your organisation. The previous steps should therefore be repeated on a regular basis.
It is the data controller who is responsible for ensuring compliance with the basic principles relating to the processing of personal data. He will always have to be able to demonstrate that he has taken measures to guarantee these principles. The principles relating to the processing of personal data are contained in Article 5 of the AVG and appear to be one of the most violated provisions according to the case law of the Data Protection Authority. It is therefore of utmost importance that a data controller takes action and can justify its actions.
13.Necessity or a virtue?
Often companies consider the GDPR as a necessary evil rather than a virtue. This does not always have to be the case. In recent years companies have been struggling with data leaks. The GDPR must offer a solution to this problem, now that companies are forced to be more aware of how they deal with personal data. Not only to protect who processes personal data, but also to protect companies’ own interests. Just think of the Cambridge
Analytica scandal in which the British company slyly and under false pretences collected Facebook data on possibly 87 million Facebook users worldwide. This data was then used to show people targeted advertisements by then-presidential candidate Donald Trump.