Before you start preparing for the GDPR and its implementation, it is important to find out whether you come under its scope of application.

Most companies and individuals use automation to process personal data, or they do it manually in a database. But if you aren’t sure about this, use our GDPR checker to find out whether or not you come under the GDPR’s scope of application.

If you do, it is best to follow the step-by-step plan below to prepare for the GDPR:

Step 1: Familiarising yourself with the GDPR and its terminology

The first step in your preparations must always be to obtain the necessary knowledge on the matter. To be able to estimate your obligations correctly, you must at least master the general principles and the correct terminology, such as ‘party responsible for processing data’, ‘personal data’, etc. Read more about this in all our blogs. Or you can call in a privacy specialist.

Step 2: Setting up a data register

Organise an internal audit that analyses all personal data and the processing carried out. In the first place, this will give you a clear picture of what is being done with the data at your organisation. And secondly, this means you will be fulfilling a major new obligation in the GDPR, i.e. maintaining a register of your data processing activities.

Step 3: Facilitating the exercising of rights by the parties concerned

Identify the legal bases for processing from the register you have set up. The most frequently-occurring legal bases are: consent from the parties concerned, the need to conclude a contract, and your company’s justifiable interests.

Notify the parties concerned of your processing activities in the correct manner. To do this, you may have to re-evaluate your existing privacy statement. Implement internal procedures if a party concerned requests access to their data, or requests rectification or deletion of the data, or requests that its processing be limited. To do this, engage an internal or external person who will be responsible for this. In some cases you will also have to ensure that the data is transferable (‘data portability’).

Implement procedures to trace, report and investigate data leaks; this should be done beforehand. In addition, you can also draw up the necessary document and a contingency plan, and you can even hold a trial run if you so wish.

Step 4: Appointing a DPO

After you have gained a clear insight into the processing activities at your company and examined and/or implemented the most essential procedures, you should check whether you have to appoint a DPO. Click here to check whether you are obliged to appoint a DPO.

Step 5: Make sure your employees are kept informed

Even the best data protection policy is useless unless your employees comply with it in their daily activities. In practice, we have found that the majority of data leaks are caused by an internal employee rather than e.g. a third party acting with malicious intent.[1] In addition, severe sanctions may be imposed under the GDPR in the event of non-compliance with its obligations. For this reason, you must make sure that your employees are properly trained and kept up to date. Read more about the advantages of e-learning.

Step 6: Reviewing the working of your organisation

Consider how you can implement the concepts of privacy by design and privacy by default. Firstly, this means that data protection principles will have to be incorporated into new processing projects and secondly, it means that the standard settings may only process a minimum quantity of personal data. In addition, you must carry out Privacy Impact Assessments (PIAs) for certain projects. This refers to activities that constitute a risk to natural persons’ rights and liberties, such as large-scale systematic monitoring of spaces open to the public (e.g. car parks) or large-scale processing of data relating to health, etc.

Consider whether your contracts with subcontractors still provide sufficient guarantees, certainly in the case of the international transfer of data.

[1] UK Information Security Breaches Survey 2015