How to comply with GDPR
GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.
A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.
Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.
Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.
To comply with GDPR, businesses need to have:
- Risk assessments
- Policies and procedures
- Audits and documentation
Read more below.
How do you perform a risk assessment?
Risk assessments will typically evaluate, or assess:
- What types of data is stored by the business (there are for example differences in sensitivity between storing e-mail addresses and copies of passports)
- Consequences for data leaks (for example, phishing, hacking or accidental internal leaks of material pertaining to personal data)
- The security measures in place to minimize the above risks
On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.
There are also requirements for documentation of your considerations regarding the procedures.
Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.
Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:
- A clarification of whether you’re acting as data manager or data processor.
- Where the personal data is stored – on internal or external servers or storage units? If it’s stored outside of the EU/EEA then what did you do to ensure a sufficient level of security?
- Whether you have a DPO, and if so, what the DPO’s assignment is and how you’ve secured the DPO’s position in the organization.
- What the stated purpose is for storing data, specifically your legal rights and the legitimacy of the purpose.
- What your policy for deleting or erasing personal data is, and for how long you store data after the termination of a client/customer relationship.
- Optionally, which technical and organizational security measures you’ve implemented to protect against data leaks, and how you’re planning to react in the case of a leak.
The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.
Audits and documentation
Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.
A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.
The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.