The GDPR goes into effect in just a few days, and while your company has probably been working for months or more to be compliant with this groundbreaking new regulation, here are five items that should be at the top of your last-minute GDPR checklist.
- Map your data. A detailed data map, consisting of information about specific data elements and how they flow between different entities, IT applications, vendors, etc. throughout the course of a processing activity will be essential to meeting many other GDPR requirements, such as breach notification and fulfilling data subject rights. Not having a data map in place will make life more difficult when having to respond to a personal data breach or a data subject request.
- Document your legal bases. Article 6 of the GDPR allows for lawful processing of personal data under one of six different legal bases. Therefore, at a minimum, data controllers need to identify and document their legal bases for all processing activities that are subject to the GDPR; doing so will also help in other areas as well.
- Update your privacy notice. Articles 13 and 14 of the GDPR require certain information to be provided to data subjects about the processing of their personal data e.g., the contact details of the data protection officer, the purposes of processing and legal basis, recipients of personal data, etc. The information provided needs to be concise, easily accessible and easy to understand, using clear and plain language. In other words, avoid legal and technical jargon, and think about what the average data subject in your audience would understand. Layered and/or just-in-time notices can also be implemented to assist in informing data subjects.
- Facilitate data subject access requests. Article 12 of the GDPR requires data controllers to “facilitate the exercise of data subject rights”, e.g., the right of access, right to erasure, right to data portability, etc. Specific requirements apply to each of these rights; however, general overall obligations exist as well, including fulfilling requests within one month of receipt, providing information by electronic means where possible, and notifying data subjects of reasons for delay or denial of requests. This is an important point, as most companies are struggling to comply with data portability requirements. Recognizing the importance of this matter should prompt companies to follow up.
- Update your cookie practices. Article 5(3) of the ePrivacy Directive requires that any “storing or retrieving” of information from an end user’s device should be subject to consent unless it is technically necessary to enable the intended communication to take place. Currently, implied consent is enough; however, the GDPR will require consent to be “unambiguous,” which means that simply loading a website’s landing page or scrolling through the page will not be sufficient to establish consent. Instead, consent will need to be freely given, specific, informed, and unambiguous, with withdrawal of consent being as easy as giving it.
These are your important checkpoints. Even though the deadline is May 25, it does not mean you’ve reached the finish line. It is a milestone, but the race is a long one. Your company can continue to improve it’s practices, and must do so to keep pace with changing regulations worldwide.
If you’d like help ensuring compliance with data portability requirements, visit us at safeonline.eu
Read the complete article here.