Effort counts when it comes to GDPR compliance

Only a limited number of companies were fully GDPR compliant on 25 May 2018. There are various reasons for this. Many have started too late or not at all. However, the main reason is that GDPR requirements are extensive and complicated.

So, don’t strive for full compliance all at once, but opt for a gradual implementation of GDPR measures.

This concept is hard to grasp for some people; you’re either compliant or you’re not. However, reality is different: due to the multitude and complexity of the measures, attaining full compliance is difficult. Therefore, we advocate using a maturity model, starting with the most crucial and obvious measures and only including more advanced measures issues later on.

However, it will be important to be able to demonstrate that you are working on GDPR, have implemented the most important measures and addressed the greatest risks.

Therefore, it is important that you document a number of elements: especially the initial compliance assessment and resulting action plan are important. That way, in case of an incident, you can demonstrate to the authorities which measures you have already taken, and which are planned. So, you won’t appear completely unprepared.

To become compliant and limit the risk of fines and reputation impact, the following main points are requiring most of the attention:

• Make and maintain records of processing for the data flows for which you are controller or processor
• Appoint an internal or external DPO (Data Protection Officer) if required
• Document and create evidence of compliance and accountability in all processing activities
• Implement stricter security requirements
• Implement stricter rules on transparency and data retention
• Review contracts with (sub-)processors and controllers
• Define procedure for data breach reporting
• Prepare for Data subjects exercising their rights

What if you need assistance?

GDPR is neither purely an IT project, nor is it purely a legal one. GDPR is a multi-disciplinary project, requiring the implementation of organisational, IT-technical and legal measures. That’s why it’s best to set up a multi-disciplinary working group, with representatives of all of these disciplines, as well as those departments managing the most, and the most critical, personal data.

ITaaSC can help you in several ways to deliver your GDPR project. We can coach you, review deliverables or play a more active role taking the responsibilities to perform some or all the activities (IT, legal, process, change management).

Examples of activities that we can perform on your behalf:

• Coach your DPO
• Offer you a DPO-as-a service in case you do not have somebody to perform that role
• Compile a comprehensive awareness campaign
• Set up a "data register" based on a tool selected to meet your specific requirements (on premise or in the cloud)
• Conduct detailed assessment and produce mapping of all data flows
• Making sure the necessary "consent" statements are included on all printed and electronic media where you collect data subject data
• Design new processes on how to obtain consent from data subjects
• Ensure compliance with IT security framework (ISO27001, NIST,…)
• Design and implement a Data Privacy Impact Assessment (DPIA) Analysis
• Review contractual amendments, privacy clauses and consent notices

Our data protection team includes experts in GDPR and Data privacy, senior project managers, lawyers, consultants, cybersecurity specialists, auditors, risk management specialists ...

Contact us for a free assessment:

DigiS?ter www.digisoter.com

• [email protected]
• +32 2 318.12.71