The key to insight is overview. Therefore, start with making an inventory of all your processing activities. It might be an investment in time and money, but it’s the magic trick for compliance. Want a little help? Download our whitepaper on data mapping.
Now the data inventory is done, it’s time to check if you have all required processor agreements. These agreements should at a minimum cover the following matters:
- Subject matter
- Duration of the processing
- Nature and purpose of the processing
- Type of personal data
- Categories of data subjects
Obligations and rights of the controller are more detailed description can be found in article 28 GDPR.
Data subjects have a set of rights they can use, such as the right to access. How does your organisation handle these data subject requests? A quick win is to set-up an internal procedure for these kind of requests, so no panic arises when you receive such requests.
The thing with data breaches is that it’s not the question if one will occur, but when a data breach will occur. Given the limited time to notify the supervisory authority, 72 hours, it is key to have a solid procedure in place when a data breach occurs.
Privacy is more than a boardroom topic. Make it fun and involve your employees by organising awareness sessions and appointing privacy champions throughout your organisation.
GDPR requires your privacy policies to be written in plain language, be concise, easily accessible and easy to understand. Go through your current policies and check whether improvements can be made.
Declutter! Do you have retention terms for all your personal data items? Great. But do you also have a process in place to make sure personal data is really deleted when the retention term has expired?