It has now been a little more than a month since GDPR was applied in law. It is now, after the implementation of the GDPR, when things become interesting! What organizations will the Supervisory authorities in Europe investigate first? How well prepared are companies for GDPR? In my work as Compliance Manager and GDPR Consultant, I receive daily questions about GDPR. In this blog post I have gathered some of the most frequently asked questions from both companies and individuals.
Which companies will be investigated first?
In Sweden, the supervisory authority, Datainspektionen, will prioritize cases where “risk of abuse is particularly high” according to the Datainspektionen website (eg organizations dealing with large amounts of sensitive personal data). Datainspektionen will also prioritize received complaints and cases that have been highlighted by the media.
According to the Swedish Datainspektionen, their first supervisory engagement will investigate if organizations that needed to hire data protection officer (DPO) have done this (eg authorities, security companies, marketing companies, etc.). The role of the DPO is to be an extension of the supervisory authority and they should have an independent position inside or outside of the company, something which will also be examined.
We have just started our adaptation work to GDPR and are not yet compliant, what do we do?
The work to meet the requirements of the regulation from the ground up should be done as a project. The first step is to make an outline of the organization’s data processing activities – create a list of the organization’s systems or processes where you identify why / how / where etc. personal data is processed. Then, the GDPR-work is mostly about creating GDPR-adapted agreements, informing registered persons and ensuring that there are documented policies, rules and processes in place that take into account the regulation. GDPR will entail major changes for many organizations, so it is important that the management team takes their responsibility and manage the change work.
If you have not completed what is specified above, don’t panic! What is most important is that you have a compliance plan in place that the management stands behind.
Is it necessary to use lawyers if you want to comply with GDPR?
It depends on your ambition level. In order to comply with the regulation as a whole, people who know practice when it comes to data protection laws (ie lawyers who have worked with data protection laws before the implementation of GDPR) are required. An important part of GDPR compliance is creating agreements for suppliers, so called processing agreements. In these instances, lawyers are very helpful; especially those who are know contract law. It is also important that there are people, either within your organization or consultants, who have knowledge of information security, and the organizational and technical measures needed for safe handlind of personal data. If you plan on hiring consultants to help with GDPR compliance, you will need people who know the technical, the legal, and the organizational aspects of GDPR and what it takes to comply with the regulation.
My company just has a simple website, how do I know if we need to fulfil the requirements of GDPR?
If you process personal data, you have to comply with the GDPR. Personal data is everything that can identify a physical person, such as name, IP address, email address and images. Do you have a website, customer register, employee register, collect e-mail addresses – you need to comply with GDPR. In essence, this means that all organizations have to follow the requirements in GDPR.