STEP 1: Check whether your company processes personal data
According to the GDPR, personal data is defined as 'any information relating to an identified or identifiable natural person'. It is therefore all data that can be used to identify a person. If your company processes data of natural persons, through which they become (in)directly identifiable, then your company processes personal data.
STEP 2: Create a register of processing activities
To be GDPR compliant, your company must comply with five rules of thumb and the associated accountability obligation. The rules of thumb are (1) purpose limitation, (2) accuracy, (3) transparency, (4) data minimisation and storage limitation, and (5) integrity and confidentiality. To comply with this, you must establish a register of processing activities.
STEP 3: Communicate and ensure that the data subject is able to exercise his rights
Draw up a privacy statement that transparently shows which data is being processed and why. Also indicate what rights the data subject, or the person from whom you are collecting data, can exercise.
STEP 4: Determine the legal basis of the processing activities
As a company, you may only process personal data if you have met one of the following processing requirements:
- +Legal obligation
- +Vital importance
- +General interest / Public authority
- +Justifiable interest
STEP 5: If required, make sure there is explicit permission
According to GDPR, the consent of a data subject must always be the result of a clear active measure, which shows that the data subject freely, specifically, informally and unambiguously consents to the processing of his personal data. In addition, the data subject should also be able to revoke his consent easily.
STEP 6: Take the necessary safety measures and report data leaks in good time
It is important that you take the necessary security measures to protect the personal data. Should a data leak nevertheless occur, you must report this to the competent authority as soon as possible.
STEP 7: Data Protection Impact Assessment (DPIA)
Make sure that you build in data protection right from the start of a processing activity. Always start from a "risk-based approach" and, if necessary, carry out a Data Protection Impact Assessment (DPIA), also known as a security assessment.
STEP 8: Appoint a DPO if necessary
Appoint a data protection officer (DPO) when legally required to do so. If this is not required by law, we nevertheless recommend that you appoint a data controller who is responsible for the data protection of the personal data.
STEP 9: Take into account the international exchange of personal data
Are you also active internationally? Then ensure that the necessary safeguards are in place when you transfer data to third countries.
STEP 10: Draw up a processing agreement
Draw up a processing agreement. When data are processed by another entity, it is important to draw up a processing agreement. This must clearly describe who is responsible for what.
Not sure if your company is GDPR-compliant or not sure how to implement certain things? Then contact one of our specialists via firstname.lastname@example.org.