The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) was published on 4 May 2016. Here are the final versions of the GDPR in French, Dutch and English.
You shall find below an overview of the main issues you shall have to address before the deadline of 25 May 2018 and some ideas on where to start:
- Perform an audit of the data currently being processed, determine whether the processing isdocumented in accordance with the GDPR and whether a data protection impact assessment (DPIA) is necessary and keep only personal data necessary for the processing,
- Check on what basis/ground the processing is being carried out and, if it is on the basis of consent, check whether the consent is valid according to the GDPR or whether another ground may be invoked,
- Put together a team that will verify the scope and the impact of the GDPR and allocate abudget,
- Verify whether you have to appoint a data protection officer (DPO),
- Review your privacy notices and policies and make sure they are GDPR proof (sufficient information for the data subject),
- Check your processing agreements and consider if you need to expand warranties (notably in case of sub-processing),
- Embrace privacy by design and privacy by default when developing a new product or a new service,
- If you are a service provider, be aware that you have strict new obligations as a processor and not only organizational and technical measures,
- Prepare for data security breaches and establish policies and procedures,
- Establish a framework for accountability, establish a culture of monitoring, reviewing and assessing data processing,
- Make staff aware of data protection and set up trainings – provide for confidentiality for staff processing personal data,
- Bear in mind that data subjects will be exercising their rights and that you shall have to react swiftly via your DPO or any other single point of contact,
- Check whether you have a valid basis for transferring data outside the EU.