GDPR goes into effect in just a few days, and while your company has probably been working for months (or more) to be compliant with this groundbreaking new regulation, here are five items that should be at the top of your last-minute GDPR checklist.
- Map your data - A detailed data map, consisting of information about specific data elements and how they flow between different entities, IT applications, vendors, etc. throughout the course of a processing activity, will be essential to meeting many other GDPR requirements, such as breach notification and fulfilling data subject rights. Thus, not having a data map in place will make life more difficult when having to respond to a personal data breach, or a data subject request.
- Document your legal bases - Article 6 of the GDPR allows for lawful processing of personal data under one of six different legal bases. Therefore, at a minimum, data controllers need to identify and document their legal bases for all processing activities that are subject to the GDPR; and doing so will also help in other areas as well.
- Update your privacy notice - Articles 13 and 14 of the GDPR require certain information to be provided to data subjects about the processing of their personal data (e.g., the contact details of the data protection officer, the purposes of processing and legal basis, recipients of personal data, etc.). The information provided needs to be concise, easily accessible and easy to understand, using clear and plain language. In other words, avoid legal and technical jargon, and think about what the average data subject in your audience would understand. Layered and/or just-in-time notices can also be implemented to assist in informing data subjects.
- Facilitate data subject access requests - Article 12 of the GDPR requires data controllers to “facilitate the exercise of data subject rights” (e.g., the right of access, right to erasure, right to data portability, etc.). Specific requirements exist with respect to each of these rights; however, general overall obligations exist as well, including fulfilling requests within one month of receipt, providing information by electronic means where possible, and notifying data subjects of reasons for delay or denial of requests. This is an important point, as most companies are struggling to reach access to data portability. Recognizing the importance of this matter, should prompt organizations to follow up.
- Update your cookie practices - Article 5(3) of the ePrivacy Directive requires that any “storing or retrieving” of information from an end user’s device should be subject to consent unless it is technically necessary to enable the intended communication to take place. Currently, implied consent is enough; however, the GDPR will require consent to be “unambiguous,” which means that simply loading a website’s landing page or scrolling through the page will not be sufficient to establish consent. Instead, consent will need to be freely given, specific, informed, and unambiguous, with withdrawal of consent being as easy as giving it.
These are you important checkpoints,make sure that you have reached this. Even though the deadline is May 25, it does not mean it is the finish line, rather it is simply a pit stop in the race, and one that is a long one.
Read the complete article here.
Point number 4 is a very important one, access to data portability. Ask us how we can help you comply. Visit us at www.idlink.eu