The General Data Protection Regulation (GDPR) creates a great level of nervousness among companies:
- “How should I start with the implementation?”
- “Which of my data processing activities are relevant?”
- “Under which circumstances am I subject to fines?”
Those and additional questions are discussed among responsible Managing Directors and CEOs. Rightly so? Not necessarily, if companies have been in compliance with the applicable data protection law in the past, as statutory law itself did not change significantly. However, the majority of companies enjoyed a more relaxed approach to data protection until now, in particular, as the sanctions were less threatening. Against that background, the GDPR should be taken as a good opportunity to reconsider the respective internal data protection strategy. Provided that companies already employed and educated a Data Protection Officer (DPO) who also knows how to implement and roll out projects - like getting the GDPR implemented - this individual would be the right person in charge for the challenges posed by the GDPR. In other cases where such an individual does not exist you may consider instructing DP-Dock for your GDPR project: beside external DPO services we can offer interim project management. Our project managers have the necessary data protection skills, identify the relevant tasks and implement the required measures. Main tasks for our project managers are:
- Implementation of record of processing activities, documentation where and how personal data is processed and stored.
- Assessment of the applicable required legal justification for the relevant data processing activity and to which extent this is documented.
- Setting up a process on how to deal with data subject rights, e. g. request for data deletion or data portability.
- Examination of Technical and Organisational Measures (TOMs) internally and with respect to external data processors.
- Audit of the existing agreements with data processors. Do they comply with the new requirements of the GDPR? Transfers out of the EU? Are there transfers to countries outside the EU?
- Implementation of the required process for Data Protection Impact Assessments (DPIAs).
- Implementation of a data breach policy, covering also the required notification to the data protection authorities. Has there been a data breach panel established?
- Documentation and maintenance? How is the reporting with respect to data protection organised within the company or group of companies?
Those and further tasks need to be accomplished. In order to successfully fulfil the requirements of the GDPR, proper project management is required: milestones, timelines, budget and responsibilities need to be fixed. We are happy to assist.