Charting out the road map to GDPR compliance

December 2017

Direct Media’s  Digital Group Account Manager and IAB Serbia’s Legal and Policy Committee member Igor Černiševski describes the steps that need to be taken on the road to GDPR compliance.

If you’ve read the previous pieces written by my colleagues, you already have a pretty good idea of the GDPR’s key components. Here, I try to recap the steps that need to be followed to align your business to comply with the GDPR.

Analyzing and documenting the data management process and data security

Responsibility is a central theme that practically permeates the entire GDPR proposal. Analyzing and documenting all processes that involve working with data and data security are a steady first step  in the process of adjusting to the GDPR .

The first step of this analysis should include identifying the ways of and reasons for processing personal data. The most important thing to define is whether you process personal data at all. If the answer is yes, the next step should be identifying the existing security systems and procedures and assessing if the data are processed in line with the new requirements. These steps are practically mandatory if we look at  the fine prescribed for non-compliance with the GDPR  (EUR 20 million or 4% of the total global annual turnover).

It is very important to note that the alignment process is not limited to the legal department, data protection officer, or IT department. This process concerns the entire organization because data are everywhere, practically runninng through every operation at most companies. Processes must undergo a comprehensive analysis—especially in larger companies—and all the divisions that come into contact with the “outside world,” suppliers, and partners must be surveyed, so as to ensure that not a single item remains uncovered and to get a completely accurate insight into all the data collection and processing procedures that take place in a system. This will allow you to “examine” all data-related processes, establishing a roadmap for your organization to follow in its GDPR alignment process.

 What needs to be documented?

While analysing and documenting activities related to data collection and processing, every activity should entail answers to four basic questions concerning the data aspect: what, where, when, and how. The answers to these questions give us insight into the consequences of each process and the risk inherent to each item. Here are a few questions that can help you in this process:

  • What information does your organization provide before and during the data collection process?
  • Whose data are collected and processed, what are these data, where do you process them, and for what reason?
  • Are the data anonymized (“cleansed” of all personal identifiers)?
  • How long are these data kept?
  • Whom do you share the data with?
  • Do you process any other data (IP addresses, cookies…)?
  • What are your data security procedures?
  • What companies do you share any kind of data with?
  • What kind of data do you share with them?
  • Do you currently forward or receive consent to anyone or from any partner which you share any data with?

 Defining a roadmap for GDPR compliance

When you complete the previous step, you will get a fairly good picture of the data you collect, and this is the right moment to understand what activities in your existing processes are not in line with the GDPR. Here are a few questions that can help you at this time:

  • How are your existing processes not in line with the GDPR?
  • What can you do to modify them?
  • How much time and resources do these changes require?
  • Do you have the users’ consent to process their data?
  • Do you forward this consent to partners and in what way?
  • How are you planning to provide the users with the right to access data and other rights under Articles 12–22 of Section III of the GDPR?

 Conoducting a study on the impact of data retention

The next step would be to conduct a study on the impact of data retention. The GDPR prescribes that it is necessary to produce this study before processing the data in the following cases:

  • When a new technology is used
  • When the level of risk for data holders is high. You can use one study for multiple cases, if the risks are the same
  • When there is a need for a systematic and detailed automated evaluation of the users’ personal data
  • When you process a large amount of personal data
  • When you constantly monitor a public space that is accessed by many people

What you definitely need to take into account are the activities of legislative bodies in Serbia and the EU, since they are obligated to publish the list of activities for which the study is required. There is an announcement that a list of activities that do not require a study will be published, but we do not have the final information about it yet.

Analyzing and adapting existing agreements and privacy policies

Analyzing and adjusting internal processes is just one part of the job that is ahead of you. Another important aspect is getting aligned with partners. In some cases, the GDPR requires data processing companies to have special agreements with their partners, where the company and the partner it works with can be considered as “joint controllers.” Once again, a data controller is a company that determines the purpose and method of processing personal data. At the very least, this means that you need to thoroughly analyze all your agreements with your partners and your existing privacy policies. If your website or web shop contains a privacy policy and terms of use, this means that you do collect personal data and that you have to align these documents with the GDPR.

It is recommended that you pay special attention to the following:

  • All agreements with suppliers you share any data with
  • All terms of use
  • All privacy policies

There are solutions you can use to automate some of these tasks, but you must place focus on possible data leakage to avoid potential issues.

Appointing the Data Protection Officer (DPO)

Another much talked about issue is the Data Protection Officer—the person who will ensure that the processes in which you collect and process personal data are in line with the GDPR. Appointing the DPO is required:

  • If the company’s core business involves continuous and systematic monitoring of data holders
  • If data collection and processing are the core business and involve a large amount of personal data
  • If the data that are collected and processed include racial, ethnic, political, religious, or philosophical information about the holder, trade union membership, generic and biometric information, or health or sexual orientation information.

The DPO is formally responsible for ensuring that the company is aware of its data protection obligations and that it meets these obligations in practice. The DPO must know the law and its real-life application in detail. The details of the DPO’s duties will be explained in a separate article in this series.

Be informed and inform others

After completing the previous steps, when you get a clear picture of what changes you need to make, you need to inform your employees about the required changes and train them so that they are able to implement the planned changes in practice. Inform your partners, align your changes with them, make sure that they are also informed about the required changes—this way the whole process will  move forward more quickly and smoothly.