The purpose of this piece is to give some insight into the challenges our clients have faced with implementing their Data protection & GDPR solution. It is not a definitive guide. This is part two of three in an oversight series on GDPR and data protection recruitment.
At this stage, you are likely already in the process of finding a data protection officer solution, or you’re beginning implementation of your response.
Implementation of GDPR’s principles will take some time, as mentioned previously in our Data protection recruitment overview.
We outline some issues and solutions below to demonstrate the extent of the project you may have on your hands.
While the whole GDPR cloud seems daunting, compliance with GDPR in 99% of cases will be a positive for businesses.
Data protection – defining scope & including concerned parties
All personal data held by the business is in scope, including employee data. Small exceptions do occur in the legislation – certain physical data files are exempt from GDPR. The details of deceased people are also exempt.
The goal is to define the minimum amount of data that the business requires to achieve business goals. Judgements between partners in future will revolve around contracts, so if only one thing is tackled right now in your organisation, contract wrappers are a good place to start.
Identifying your responsibilities as a Data Controller (i.e. making data related business decisions) or as a data processor will define early responses.
Involving stakeholders from the outset is key. Marketing, IT (particularly if you’re designing new consumer apps etc. or working on solutions with outside vendors) and legal. One of the central tenets of GDPR is Privacy by design so starting early on projects involving personal data will avoid costly revisions.
Personal data audits, automation, and information flows
Data protection audits and assessments (you can find an excellent EU-applicable template from the UK data protection office ), and the mandatory data privacy assessments for high risk organisations will help to define scope.
GDPR IT solutions like Eurocomply Data protection compliance provide a cost effective solution for auditing the wider business before hiring expensive consultants. Data-sniffing software from companies like Sonra will help find potential leaks and personal data locations across your business infrastructure.
Best practice is to develop expertise in-house – you can outsource the paper pushing but not the accountability
Following Google and Facebook’s lead in implementing automated services for customers to request their data and/or remove it is a good solution if you have the means. Even if it is semi-automatic. Privacy enhancing technologies are big business right now and bespoke solutions are out there.
Policies, procedures, and legal
Policies & procedures within the business need revision, for training all employees who handle personal data and for accountability reasons in the event of a breach.
If an employee makes a simple mistake it is unlikely to result in a fine. However if the same mistake happens again with no data protection training in place, a different outcome is likely.
Legal advice may be needed for a company ‘personal data breach’ policy.
GDPR is about customer data, so customer data complaints/requests procedures (Article 50, right of access) need clear ownership definition and resolution paths to avoid compensation claims.
And as mentioned in the previous article, executive backing for the GDPR response is critical for eventual success.
Finsearch professional recruitment provide data protection recruitment solutions on all aspects of GDPR recruitment & compliance, from sourcing Data Protection professionals, legal talent, Business Analysts and Project Manager contractors – permanent and contract.
Contact us here or call us in Dublin on
00 353 1 556 344;
email on email@example.com.
Access our network of talented data protection professionals, and discuss how we can help your organisation today.
Contact us today.
Please share this article with your network