Direct Media’s Digital Group Account Manager and IAB Serbia’s Legal and Policy Committee member Igor Černiševski describes the steps that need to be taken on the road to GDPR compliance.
If you’ve read the previous pieces written by my colleagues, you already have a pretty good idea of the GDPR’s key components. Here, I try to recap the steps that need to be followed to align your business to comply with the GDPR.
Analyzing and documenting the data management process and data security
Responsibility is a central theme that practically permeates the entire GDPR proposal. Analyzing and documenting all processes that involve working with data and data security are a steady first step in the process of adjusting to the GDPR .
The first step of this analysis should include identifying the ways of and reasons for processing personal data. The most important thing to define is whether you process personal data at all. If the answer is yes, the next step should be identifying the existing security systems and procedures and assessing if the data are processed in line with the new requirements. These steps are practically mandatory if we look at the fine prescribed for non-compliance with the GDPR (EUR 20 million or 4% of the total global annual turnover).
It is very important to note that the alignment process is not limited to the legal department, data protection officer, or IT department. This process concerns the entire organization because data are everywhere, practically runninng through every operation at most companies. Processes must undergo a comprehensive analysis—especially in larger companies—and all the divisions that come into contact with the “outside world,” suppliers, and partners must be surveyed, so as to ensure that not a single item remains uncovered and to get a completely accurate insight into all the data collection and processing procedures that take place in a system. This will allow you to “examine” all data-related processes, establishing a roadmap for your organization to follow in its GDPR alignment process.
What needs to be documented?
While analysing and documenting activities related to data collection and processing, every activity should entail answers to four basic questions concerning the data aspect: what, where, when, and how. The answers to these questions give us insight into the consequences of each process and the risk inherent to each item. Here are a few questions that can help you in this process:
- What information does your organization provide before and during the data collection process?
- Whose data are collected and processed, what are these data, where do you process them, and for what reason?
- Are the data anonymized (“cleansed” of all personal identifiers)?
- How long are these data kept?
- Whom do you share the data with?
- Do you process any other data (IP addresses, cookies…)?
- What are your data security procedures?
- What companies do you share any kind of data with?
- What kind of data do you share with them?
- Do you currently forward or receive consent to anyone or from any partner which you share any data with?
Defining a roadmap for GDPR compliance
When you complete the previous step, you will get a fairly good picture of the data you collect, and this is the right moment to understand what activities in your existing processes are not in line with the GDPR. Here are a few questions that can help you at this time:
- How are your existing processes not in line with the GDPR?
- What can you do to modify them?
- How much time and resources do these changes require?
- Do you have the users’ consent to process their data?
- Do you forward this consent to partners and in what way?
- How are you planning to provide the users with the right to access data and other rights under Articles 12–22 of Section III of the GDPR?
Conoducting a study on the impact of data retention
The next step would be to conduct a study on the impact of data retention. The GDPR prescribes that it is necessary to produce this study before processing the data in the following cases:
- When a new technology is used
- When the level of risk for data holders is high. You can use one study for multiple cases, if the risks are the same
- When there is a need for a systematic and detailed automated evaluation of the users’ personal data
- When you process a large amount of personal data
- When you constantly monitor a public space that is accessed by many people
What you definitely need to take into account are the activities of legislative bodies in Serbia and the EU, since they are obligated to publish the list of activities for which the study is required. There is an announcement that a list of activities that do not require a study will be published, but we do not have the final information about it yet.
Analyzing and adapting existing agreements and privacy policies
It is recommended that you pay special attention to the following:
- All agreements with suppliers you share any data with
- All privacy policies
There are solutions you can use to automate some of these tasks, but you must place focus on possible data leakage to avoid potential issues.
Appointing the Data Protection Officer (DPO)
Another much talked about issue is the Data Protection Officer—the person who will ensure that the processes in which you collect and process personal data are in line with the GDPR. Appointing the DPO is required:
- If the company’s core business involves continuous and systematic monitoring of data holders
- If data collection and processing are the core business and involve a large amount of personal data
- If the data that are collected and processed include racial, ethnic, political, religious, or philosophical information about the holder, trade union membership, generic and biometric information, or health or sexual orientation information.
The DPO is formally responsible for ensuring that the company is aware of its data protection obligations and that it meets these obligations in practice. The DPO must know the law and its real-life application in detail. The details of the DPO’s duties will be explained in a separate article in this series.
Be informed and inform others
After completing the previous steps, when you get a clear picture of what changes you need to make, you need to inform your employees about the required changes and train them so that they are able to implement the planned changes in practice. Inform your partners, align your changes with them, make sure that they are also informed about the required changes—this way the whole process will move forward more quickly and smoothly.