GDPR has arrived and brings huge changes to how companies need to deal with the personal data of their customers and other stakeholders. The portability of data, the right to forgetfulness and the obligation (or not) of the existence of a general data protection officer are some of the main changes that the legislation brings. However, one of the major concerns of companies is related to the large fines that the law provides for offenders. The new GDPR focuses heavily on enforcement and penalties, through the application of high fines for offenders. In cases of minor breaches it may reach 10 million euros or 2% of the global turnover of the group in which the company operates and in the worst cases may reach 20 million euros or 4% of world turnover. So it is essential to know how to avoid the fines of the GDPR!
There should be a strategic action plan for the implementation and ongoing evaluation of the GDPR. All areas of the company should be involved and this plan should include the identification, evaluation and categorization of private data that the company has stored.
Professional advice is essential if GDPR is to be implemented correctly. The Legal Adviser will identify the steps already taken and those that are missing to comply with the GDPR. The assessment is very useful if you need to use a partner to make the necessary changes.
The company needs to check if it is mandatory to appoint a Data Protection Officer. In case of need, this professional is responsible for the obligations contained in the GDPR. The new regulation requires that a DPO be designated if one of these cases occurs:
Processes must be created or adapted so that data is protected. The methodology to be used should be privacy by design, to facilitate the monitoring of communication of events related to personal data.
The data privacy policy must be updated according to the new requirements of the legislation. A scale of classification and processing of personal data should be defined. The legal department of the company should be involved in this process and this policy should include all information related to the actual treatment of the data, including its purpose.
The company must implement processes that allow it to detect, report and solve problems of violation of personal data, always keeping in mind the security issue. In this case, it is advisable to use recovery as a service services.
Customer service procedures must be prepared to receive all requests under the new law, whether online or offline. It is essential to ensure that the security of citizens’ data is not compromised and that the citizen knows the purpose of the data storage by the company.
All suppliers and partners involved in data processing must meet the requirements of the new GDPR. For example, buying a database should ensure that the subcontractor also complies with the new law.
The company must create an internal communication program, so that it involves all areas in this change. The GDPR compliance officer should inform and teach employees about data privacy and the risks that non-compliance poses to the company.
The company must ensure that highly sensitive data is encrypted or masked so that there is no risk of loss and the company falls victim to the heavy fines set out in the new regulation. Datapeeers offers a variety of sophisticated scrambling techniques to protect sensitive data, replacing them irreversibly with fictitious but realistic data.
About the author