GDPR: 10 things businesses should do if compliant or not compliant yet

Out-Law Analysis | 25 May 2018 | 8:31 am | 4 min. read

ANALYSIS: The 25 May marked the start of a new data protection regime in Europe, but the date is only the end of the beginning for businesses that are compliant with the new rules. Similarly, those companies that failed to meet the deadline must not be deterred from completing their compliance journeys.

Paris-based data protection law experts Annabelle Richard and Valentine Morand of Pinsent Masons, the law firm behind Out-Law.com, have set out a checklist of actions for businesses to help them meet their obligations under the General Data Protection Regulation (GDPR).

10 things businesses that have still to comply with the GDPR should do 

  • Keep calm and carry on: Even in the field of data protection late is better than never. The most important thing is to have a compliance plan – if you have not been able to complete it by 25 May you should at least know where you are going.
  • Choose your champion: Designate a person to take the lead of your compliance program.
  • Know yourself: To reach your targets you need to know your strengths and weaknesses. Carefully map the data flows coming in and out of your entity and begin drafting a record listing all of your processing activities.
  • Prioritise: Identify which actions should be made a priority. A first step could be to give a priority to rights and obligations that existed prior to the GDPR. Prioritisation should also be viewed with the specific risks your data processing activities generate in mind, in terms of the rights and freedoms of data subjects engaged from processing sensitive data, or from large scale processing or profiling activities, for example.
  • Document: In line with the accountability principle under the GDPR, any and all efforts made to achieve compliance with the GDPR should be documented. This includes privacy policies and internal policies, noting data subjects' consent and recording processing activities. You should inform data subjects, whether consumers, employees, clients or suppliers, about the data processing operations you carry out.
  • Communicate: Let people know what you are doing, inside and outside your organisation. Do not forget that providing clear information to data subjects is one of the cornerstones of compliance.
  • Learn / Teach: Make sure your data protection champion, as well as all persons involved in data processing, understand what your compliance program is about. Some of the mechanisms made mandatory by GDPR are not easy to handle. For example, make sure that you have provided all tools to all staff who could need to complete a data protection impact assessment (DPIA).
  • Secure: Review what security measures are implemented to protect personal data, from controls of access to personal data, to technical measures such as encryption and password policies.
  • Reach out: Contact your data processors, such as cloud providers, payroll services providers and IT support service providers, as well as clients and partners to ensure your relationship with them is structured to allow compliance with GDPR obligations on both sides. Do not forget that compliance is not just about words on paper – you should have actual knowledge of how they operate.
  • You are now ready to start: Indeed, do not forget that getting compliant is only the beginning. Policies and procedures will need to be updated so you can remain compliant as your organisation, activities and technologies keep evolving.

10 things businesses that are already GDPR-compliant should do 

  • Treat yourself: You are one of the courageous few to be compliant on time.
  • Avoid complacency: Do not forget that 25 May is only the beginning and not the finish line.
  • Keep it real: Ensure that the processes you worked so hard to put in place on time are actually implemented – these will include retention policies, security measures, timely handling of data subjects’ requests, for example.
  • Adapt: Keep your processes alive and relevant in light of your processing activities and legal obligations – improvements in technology will require security measures to evolve over time, and public and regulators' views on things like acceptable retention periods mature.
  • Make it count: Make sure your organisation devotes the necessary resources to these topics and grants your data protection officer or data champion the means necessary to fulfil his or her mission.
  • Discipline yourself: Beware of function creep, stick to what you informed your data subjects about or provide them with information about your new projects.
  • Communicate: Make sure that your data governance is known and understood internally and externally. Don't forget it could become a competitive advantage.
  • Stay alert: Look for additional changes that will or may occur at European level. This is likely to include evolution in the Commission’s adequacy decisions, which relate to data transfers overseas, and the introduction of a new e-Privacy Regulation, which among other things will govern the use of 'cookies'.
  • Pay attention to what is done at national level: Many areas were left by the GDPR to be dealt with at the national level and your national data protection authority may publish helpful guidance tools and documentation.
  • Stay in touch: Liaise with your clients, partners and sub-contractors to make sure you are all aligned. They may also inspire you with best practices and good ideas.