The General Data Protection Regulation (“GDPR”) is a complex document that lists many obligations burdening personal data controllers and their processors: they must design and enact policies, create or adapt their documentation on the organization’s processes, develop and deliver training and control programs which will need to last and adapt in time…
The process of complying with GDPR requires decision making and acts coming from the very top of an organization; it affects all tiers of the structure and pretty much all of its departments, and it aims at strengthening, or adapting, the culture of the organization when it comes to data protection.
With the foregoing in mind, the GDPR compliance process must cover a number of subjects, or steps. CNIL, the French supervisory authority, has published a guideline describing these steps in a practical and useful way, and LegIT-Team only had to base itself upon such guideline to advise the following steps:
Appoint a project leader To manage the governance of personal data within your organization, you will need a sort of orchestra director who will have a mission of information, counsel and control. He must be therefore someone who knows GDPR quite well, and who will be able to tell general management how the organization is affected and what it must develop and implement.
Map existing practices In order to realistically quantify the impact of the European Union’s regulation on the way you need to protect the data you control, you need to make a precise and exhaustive inventory of all personal data processing. For this, the creation of a record of processing activities will enable you to have a good view of the current state of things. In addition, make an inventory of your current policies having to do with data protection and any other measures already implemented to ensure their security.
Prioritize actions that need to be carried out Based on your audit of the current situation, identify all actions you will need to carry out to comply with today’s obligations as well as future ones. Nobody really believes that you will be able to complete your organization’s compliance program in an instant, but the important thing is for you to plan and start the process, and to make progress in a way proportionate to your specific economic means.
Manage risk If you have identified personal data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, you will need to carry out, prior to starting the processing and for each processing type, an assessment of the impact on data protection (DPIA). This is a more complex process but it is key to demonstrate that you know what you are doing and that you are implementing appropriate measures.
Implement internal processes To ensure the enduring security of personal data, you must implement internal processes that guarantee at any given time that you are taking into account any event that might occur during the lifetime of the data processing activity (for example, security breach, management of requests for correction, access or amendment of collected data, change of processor…)
Document compliance Do not forget that the burden is on you to prove your compliance to GDPR. The best way to achieve this is to create and centralize documentation relating to all personal data processing activities, including a chronological journal of actions planned, started and achieved, as this journal will demonstrate the intensity of the effort your organization has been committed to make and the progress you have achieved. Beware, however, that this is not enough: actions and documentation achieved at any given time must be reexamined and updated on a regular basis to ensure that personal data protection is adequate over time.
How does one achieve all this?
The process detailed above is not as simple as it looks, and it certainly demands time and availability as well as, as explained under step 1, a project leader or sponsor who knows what needs to be done and who can lead to completion.
Many companies or organizations of any kind will come to realize that this project manager does not exist within their structure. Don’t panic! This is the DNA of LegIT-Team: to help you manage your compliance process, with the level of intervention that suits your needs, as we describe in more detail on this website and as we can discuss with you to make sure we adapt to your particular needs, whatever they are.