In-Depth: Top 10 Steps To Prepare For GDPR

STEP 1: Develop A Culture Of “Privacy By Design”

Review your approach to privacy and how you manage data protection.
Conduct Data Protection Impact Assessments (assessments of the strength and suitability of your organizational and technical data security measures), and develop procedures to mitigate risks identified in the assessment.
- Under GDPR, these are required where data processing is likely to result in a high risk to individuals, such as where a new technology is being used, or there is large-scale processing of special categories of data. Special categories of data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health records, and criminal records, are subject to a higher level of protection under GDPR. Note that financial data is not considered a special category of data under GDPR.
- They are recommended for all organizations.
Ensure you have sufficient technical safeguards for the personal data you process. Technical safeguards should include procedures for automatically identifying and classifying personal data, pseudonumization and encryption of data, and technical security measures.
Assessments should be ongoing, especially as new technologies are implemented.

A DPO is required if your organization carries out regular and systematic monitoring of individuals on a large scale, or if you carry out large-scale processing of any of the special categories of data.
A DPO is recommended in all cases to ensure responsibility for data protection by a person who has proper knowledge, institutional support, and authority.

Ensure that all decision makers, and key people handling or directing usage of data, are aware of their responsibilities.
Conduct ongoing training on data protection.

GDPR requires that any company with more than 250 employees must maintain records of processing activities.
Even if exempt from the recordkeeping requirement, all organizations must be able to demonstrate how they comply with the data protection principles, and good records will help such a demonstration.
Conduct a data inventory. Consider all information collected and used within all areas of your organization.
Engage in data-mapping to understand and track what personal data you hold, where it came from, why it is collected, who it is shared with, how it is held, and when it is no longer needed.
Develop written internal policies regarding the measures that your organization will take to protect personal data and ensure its proper use.
Develop information retention policies that govern how long you will retain personal data, and the methods for its deletion/destruction.
If you carry out cross-border processing of data (including across EU-member states), determine where your organization makes its most significant decisions about processing activities to determine your lead data protection supervisory authority within the EU.
If your information collection includes personal data of persons under 16, be aware that GDPR has additional requirements relating to children’s personal data.

Under GDPR, you must have a lawful basis for processing personal data. The following are the legal bases that are most directly applicable to commercial enterprises:
- The information is necessary to perform a contract between the organization and the individual.
- You have a legal obligation to process the data (such as a court order).
- The organization has a legitimate interest in collecting and processing the data – note that the context in which the data was collected and the relationship between the organization and the subject individual will be considered in determining whether there is a legitimate interest.
- The individual has provided direct consent to the processing of the data – note that this basis will provide the individual with the most rights regarding how the data is subsequently used and whether it must be deleted on request.
For each category of personal data collected, document the applicable lawful basis, ensure that the data is only able to be used for the identified purpose(s), and maintain records accordingly.
Minimize your processing of personal data – don’t collect or keep information that is superfluous or unnecessary, and don’t keep information any longer than necessary.

Where consent is your lawful basis for processing personal data, that consent must be freely given, specific, informed, and unambiguous.
- Pre-ticked boxes, or treating silence as presumed consent, will not be sufficient.
- Consent must be simple to withdraw once given.
- Separate processing activities cannot be “bundled” into a single consent.
Existing consents will need to be refreshed if they do not meet GDPR requirements.

Develop processes to address requests from individuals regarding their rights in their personal data. The following individual rights are specified in the GDPR:
- Right to be informed about what data is collected and why;
- Right of access to data that has been collected;
- Right to rectification/correction or inaccurate data;
- Right to erasure of data (“right to be forgotten”);
- Right to restrict processing of personal data;
- Right to data portability;
- Right to object to use of data; and
- Right not to be subject to automated decision making, including profiling.
Most of these rights currently exist in the EU (pre-GDPR), but the right to data portability is new. When it applies, you must have the means to transfer the data record, upon the individual’s request, in an electronic, commonly-readable format. It only applies:
- To personal data provided by an individual;
- Where the processing is based on the individual’s consent or for the performance of a contract; and
- When processing is carried out by automated means.

Ensure that your privacy disclosures accurately describe the information collection and usage practices evaluated and determined in Steps 4 through 7.
The lawful basis for processing personal data, the data retention periods, and the right of individuals to submit complaints to the member states’ data protection authorities, must all be explicit within your privacy notices.

If third parties process, store, or otherwise manage data on your behalf, you are responsible for those parties’ compliance with GDPR as is relates to your data.
Review contracts and agreements with business partners, cloud service providers, and other third parties, and ensure that third parties have organizational and technical measures in place to secure data.

Confirm that internal protocols are sufficient to detect breaches promptly and report them up the proper chain of command.
Implement procedures for investigating and mitigating data breaches.
Report data breaches within required timelines:
- The applicable EU data protection supervisory authority must be notified, within 72 hours of your becoming aware of the breach, if the breach is likely to result in a risk to the rights and freedoms of individuals (examples: risk of discrimination, reputational damage, financial loss, loss of confidentiality, or other economic or social damage).
- The affected individuals must also be notified if there is a high risk to their rights and freedoms.
Consider cyber insurance or, if you have cyber insurance, review coverage and limits to address potential liability under GDPR.

Click here for our Cybersecurity, Privacy & Technology Team.