How to comply with the requirements of GDPR

The July 20th the new privacy regulation, GDPR, came into force, which will strengthen our privacy, and will ensure equal rights in the processing of personal data across Europe. We have had timely manner to adapt to the requirements of the new regulation, however, the inquiries to the supervising authorities indicates that there is still some uncertainty surrounding compliance with the new requirements.

How do you know that your business are compliant? Here are seven steps to ensure that you are compliant with the new regulations:

  • Have knowledge about the principles of processing of personal data, described in Article 5. You should be familiar with the terms lawfulness, fairness and transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity and confidentiality, and know what they mean to your organization.
  • Have control over which personal data that is processed in your organization, which purpose and legal basis it is based on, who is responsible for processing the data, and how they are processed and stored.
  • You have a Privacy Policy that describes how personal data is processed, and which is easily accessible for the data subject. This also includes the contact details to your data protection officer.
  • You can document a risk assessment on the risks involved of personal data treated in violation of the regulation, loss, deletion or change of personal data by unauthorized persons. The measures that are planned and implemented is also important to include here.
  • Have secured the personal data and the systems against loss of confidentiality, integrity and availability. Privacy and data protection by design and by default is implemented in the solutions you use.
  • Established data processing agreements with other businesses that processes personal data on behalf of others. The agreement shall describe how privacy is safeguarded by the data processors, and how the data processor comply with GDPR, other requirements and their responsibility to process your personal data. Other regulations is applicable if the personal data is processed outside EU/EØS.
  • Have routines on how to notify a personal data breach and how to treat the data subjects rights to access, correct and delete personal data.