What it Means
EU GDPR requires companies to take an organised, proactive and documented approach to data protection compliance. Companies are responsible for their own data protection policies and will be completely liable for any breaches which may occur. The concepts of ‘privacy by design’ and ‘privacy by default’ are central to this approach – they oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing. Your policies should ensure they follow these concepts in your implemented measures which should include: data minimisation, pseudonymisation, transparency, allowing individuals to monitor processing, creating and improving security features on an ongoing basis and using privacy impact assessments.
The accountability measures appropriate to implement will vary for each company, depending on the nature, scope, context and purposes of the relevant data processing as well as the gravity of any impact upon the rights and freedoms of individuals.
Organisations should take appropriate technical and organisational measures now to comply with these principles by documenting that they have implemented the following:
- Data protection policy
- Data security policy
- Data retention policy
- Staff awareness and training
- Adequate employment contracts
- Internal audits of processing activities
- Reviews of internal HR policies
- Relevant documentation on processing activities
- Record of processing activities
EU GDPR will also introduce a new role into an organisation’s structure – a Data Protection Officer. Should processing of personal data be carried out by a public authority, if regular and systematic monitoring of data subjects on a large scale exists or if special categories of data are processed on a large scale, a DPO must be employed to oversee proceedings. An ideal DPO is one who knows exactly how the organisation operates and the best way in which to integrate the data protection law into the workings of the organisation. DPOs are the go-to people for employees within an organisation, they must oversee what is going on across operations and negotiate and balance interests between the board, the workforce, maybe a work council, and third parties such as customers who have data protection-related questions, as well as the authorities, should they want to approach the organisation.
In order to account for your effort towards EU GDPR compliance, your policies should embody and ensure the principles of data protection by design and data protection by default by interpreting how exactly the EU GDPR affects your company.