Establishing GDPR compliance in 2024 – where to start?

At TalTech Legal Lab we know that many companies are struggling with GDPR compliance. As we mentioned in our last article, there have been several GDPR breaches recently, in Estonia as well as elsewhere. Personal data leaks, unlawful disclosures as well as other incidents demonstrate how vulnerable an organization can be when GDPR compliance has not been taken care of. It is important to understand that GDPR compliance is more than just a few privacy related documents on a company's website. Establishing GDPR compliance means that an entity has developed and implemented a plan to keep personal data secure and to meet all specific GDPR compliance.

But how should you start? What are the typical mistakes to avoid? What are the common misconceptions that companies have about data protection? In this article, we will give you a practical overview of how to kick off your in-house GDPR compliance project. In this and forthcoming articles, we will share practical tips and explain some of the most important GDPR concepts.

Step 1 – know your personal data processes

Do you know how and which personal data do you process as part of your everyday business activities? Most companies, when they are being asked this question, are quick to reply that they do know the processes. However, in most cases, there is a lot to discover. For example, let's say that you are company who is providing digital marketing services to other companies. You probably are well aware of the fact that you carry out several different personal data processing activities for marketing purposes, such as profile analysis, sending of newsletters, updating of subscribers' personal data, storing of subscribers' personal data and so on. However, if you would take an in-depth look at all the personal data processing activities in your organization, it is very likely that you have a lot to discover. A common shortcoming is that organizations have "forgotten" that their employees are also data subjects. Moreover, sometimes the most risky personal data processing activities are those which are being carried out with employees' personal data. For example, if you have surveillance tools in your premises and you are carrying our surveillance regarding your employees, you may have an obligation to carry out a data processing impact assessment according to Art 35 in the GDPR. To be compliant with the GDPR, you need to start with mapping all personal data processing activities.

If you do not know what your personal data processing activities are, you do not know your GDPR related obligations.

Companies who do not know what their data processing activities are, i.e. who have not mapped their data processing activities, are too quick to rush into "solving" GDPR problems inadequately. Mapping the data processing activities means that the company will draft a detailed description of all personal data processing activities. In many cases, this is done in the first stage of a data protection audit. However, if the company is not interested in a data protection audit at the moment, the mapping of all personal data processing activities can also be done separately.

The obligation to keep records of processing activities according to Art 30 in the GDPR is more than just creating another Excel sheet. It is the first crucial step towards solving your GDPR troubles.

Having in place the records of processing activities according to Art 30 in the GDPR means that you have met one of the basic GDPR obligations. Which is good news! It is important to note that the relevant data protection supervisory authority has the right to ask you to provide the records to them for review. The supervisory authority can then investigate the data processing activities and, should they find any inconsistencies with the GDPR, they may issue a precept or take other measures.

In our next article, we will give a detailed explanation about the meaning of "records of processing activities" pursuant to Art 30 in the GDPR. We will share tips on how to draft these records and how to make the most of having all personal data processing activities mapped.

Step 2 – make sure to meet the basic obligations

As we know, the GDPR stipulates several obligations for organizations who are subject to this regulation. What kind of obligations are relevant for your organization depends on whether your organization is a data controller, a processor or a joint controller. However, the basic obligations are the following:

• Records of processing activities
• Finding a suitable legal basis for each personal data processing activity according to Art 6 and 9 in the GDPR
• Depending on the specific legal basis, fulfilling the relevant additional obligations (e.g., legitimate interest analysis, consent form)
• Privacy notices for all data subjects
• Retention deadlines to ensure that personal data is not stored longer than necessary
• Cookie consents and cookie policy
• Data processing agreements with processors
• If applicable, data protection impact assessments

Step 3 – implement processes to keep the basic obligations met

One of the main reasons why companies struggle with GDPR compliance in the long run is that often companies fail to implement procedures to update GDPR related notices, analyses and other documentation. This also includes the updating of the records of processing activities.

Further, a crucial step towards keeping your organization compliant with the GDPR is that when the organization is developing a new service or product which involves the processing of personal data, then it is important to engage the DPO (if the organization has one) or the external GDPR advisor to review the plans in light of the GDPR. Most companies still struggle with this.

Any questions about establishing GDPR compliance in your organization? Do not hesitate to reach out! If you are interested in learning more about our GDPR tool Complymate, be sure to request a demo by sending us an email at [email protected]