Definitive Guide: 9 Steps to Ensure GDPR Compliance

What is the GDPR?

Since the mid-90s, the world has seen an increase in data exchange and processing of personal data. However, regulation in the European Union has not sufficiently addressed increasing concerns about consent and misuse of personal data.

Estimates show that the resulting (lack of) compliance and the inconsistent implementation of Directive 95/46/EC costs companies around €2.3 billion annually. The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, is uniformly applied in all EU member states and essentially aims to close existing gaps in the data protection law.

The GDPR brings significant changes that require companies to adopt a coherent approach to compliance with all EU regulations. The main beneficiaries of the new regulation are people whose rights to privacy are significantly strengthened and who can exercise these rights directly against companies.

Who is affected by the GDPR?

The geographical scope of the GDPR is significantly wider than that of the Directive and applies not only to companies based in the EU, but also to

• non-EU companies that process personal data in connection with offering goods or services to private individuals within the EU, or
• recording their trade, insofar as this takes place within the EU

What does the GDPR do?

The GDPR, which represents a “supercode” of practice for companies, requires companies that collect data and manage its risks to transparency and accountability. Key changes include:

• Commitment to apply the principles of data protection through technology (data protection by design), as well as through privacy-friendly default settings (data protection by default)
• Carrying out a data protection impact assessment for lower-risk processing
• Strengthening the data subject's rights through the right to access data and the right to delete the data
• The right of the person concerned not to be subject to any decision (e.g. profiling) to evaluate your personal aspects
• Obligation to report personal data breaches.

The person responsible notifies:

• The competent supervisory authority immediately and, if possible, within 72 hours of becoming aware of the infringement
• The persons and data controllers immediately
• Data transfer to third parties. Companies commit to evaluating third parties, including
• Data processors (e.g. IT service providers, external payroll) and
• Data controllers (e.g. regulatory authorities, healthcare providers)
• The GDPR holds both controllers and data processors responsible for their own level of security and also provides for restrictions on subcontractor hiring
• Appointment of a data protection officer (DPO) if the company employs more than 9 employees working on automated data processing

Data protection violation

Compliance with the GDPR, which costs companies between €1 and 10 million, now represents a major risk for employers, who must not only develop a thorough understanding of the regulation, but also take into account the relevant local laws or collective agreements on data processing.

In addition, the superimposition of the conditions imposed by the GDPR is likely to trigger a flood of legal disputes between individual affected parties and supervisory authorities, as it is possible to ensure both material and immaterial damage. Fines and sanctions for violations are imposed at various levels: from SMEs to listed companies. The amount of the fine depends on a number of factors, including

• The legal nature
• The degree of indebtedness
• Previous violations

The maximum fine is significantly increased to 4% of the global total annual turnover or €20 million (whichever is higher) for significant violations. These include

• General principles for processing personal data, including conditions for consent (Art. 5-7, 9)
• Rights of data subjects, including the right to be forgotten and the right to data portability (Art. 12-22)
• Transfer of personal data to third countries or international organizations (Articles 44-49)
• Provisions on non-compliance with the order issued by the supervisory authority to restrict data processing or on failure to access all personal data (Art. 58 para. 1-2)
• Provisions on specific processing situations, including obligations under national law relating to processing and freedom of opinion and information and the processing and public access to official documents (Articles 85-91).

The maximum fine is increased to 2% of the total annual turnover or EUR 10 million (whichever is higher) for non-minor infringements. These include

• Obligations of the controller and the processor, including the implementation of data protection through technology and privacy-friendly default settings (Art. 8, 11, 25-39)
• Obligations of the supervisory authority (Art. 41 para. 4)
• Obligations of the certification body (Art. 42-43)

In order to avoid heavy fines, both economic objectives and risk management must be taken into account. But how do you become GDPR-compliant despite all the uncertainties? To bring you one step closer to GDPR compliance, we have created a practical checklist with the most important aspects for your company.

Checklist: 9 steps to GDPR compliance

1. Understanding the law

Familiarize yourself with the GDPR and your obligations regarding the collection, processing, and storage of personal data.
To do this, we have created a step-by-step guide, which you can find under the following link:
https://academy.e-profound.com/p/dsgvo-schritt-fur-schritt

2. Formulate a “Governance Plan”

Make sure that decision makers are informed about the changes in data protection legislation and the associated effects on your company. Create a plan with a list of actions needed to achieve compliance and a governance structure to ensure appropriate engagement with the right people at every stage of the process.

3. Audit implementation and/or privacy impact assessment (PIA)

Conduct a personal data audit that covers current data processing practices. The audit checks for

• Categories of personal data
• The use of personal data
• To whom personal data is shared
• Where personal data is stored
• Any cross-border transfer of personal data outside the EEA
• Any security measures for personal data

High-risk processes in your company are checked with a PIA. Such processes relate to

• Comprehensive processing of confidential personal data
• Profiling of affected persons and their influence
• Comprehensive and systematic monitoring of people

For PIA documentation

• Create a standard PIA process that meets GDPR requirements
• Consider whether existing processing activities are sufficiently risky
  

4. Analyze gaps

The results of an internal data audit and/or a PIA help you identify gaps and areas where changes are needed. A gap analysis not only brings them one step closer to GDPR compliance, but also informs them about the next steps in their compliance process.

5. Appoint a data protection officer

The mandatory requirement to appoint a DPO applies to companies with more than 9 employees working on automated data processing and where the core data processing activities consist of special categories of data related to criminal convictions. With regard to the admission requirements of a DPO, two essential requirements must be met

• Independence: In order to ensure appropriate advice to the company management, a DPO acts completely independently in the fulfillment of its duties.
• Technical expertise: The level of technical expertise required depends on the type of organization (for example, an IT company assumes that the required level of technical expertise of a DPO is higher than in the healthcare sector).

6. Coordinate transfer of data to third parties

The GDPR provides clear requirements for organizations to ensure that there is adequate contractual protection with third-party processors. The regulation also imposes restrictions on the appointment of subcontractors.

To comply with the requirements of the GDPR, you must contact existing data processors and amend the relevant contracts. Therefore, carry out a project to prioritize the various relationships and set clear parameters for working with third parties.

7. Update existing privacy notices and policies

You must ensure that your organization's existing privacy notices and policies are updated. To this end, the GDPR sets clear requirements for the information that must be provided to data subjects when processing their personal data.

The regulation requires:

• Some specific policy requirements, such as security policies
• Accountability requirements (as a company, you must be responsible for compliance but also be able to demonstrate compliance.)
• Necessary tools to comply with the GDPR

In addition to general protective measures, it is recommended to create specific guidelines for various areas of your organization (e.g. marketing or personnel).

8. Train employees

Make sure that employees are informed of their duties and responsibilities when processing data on behalf of your organization (e.g. your employees must commit to confidentiality in accordance with Art. 28 (3 (b))) and are made aware of the potential risk of fines and other sanctions under the GDPR.

9. Design and implement compliance systems

The GDPR requires companies to keep records of processing activities that detail the types of data they process and the categories of third parties with whom they share the data (whether they transfer it outside Europe) and the security measures they take with respect to that data.

Prioritize the respective steps

When deciding which action plans should be prioritized on the path to GDPR compliance, a number of factors can be considered. These include

• The level of risk of potential non-compliance
• Whether the individual measures are business-critical
• Costs and duration of implementing individual points