Three steps organisations can take to begin the GDPR compliance journey

• Ireland

• General

03-04-2018

As the introduction of the GDPR draws ever closer, we have set out below some immediate steps that organisations can take in order to kick-off the GDPR compliance journey.
 
GDPR introduces the principle of accountability, which requires organisations to not only comply with the obligations of the GDPR but also be in a position to “demonstrate” such compliance. In addition, another fundamental aim of the GDPR is to affect a change in organisations’ cultures and attitudes towards data protection generally.

1. Understand your data protection landscape

The key to compliance is to understanding the data protection landscape within your organisation. This is important as what would be necessary for one organisation to ensure compliance may not be relevant for another. This involves identifying the “Who”, “What“, “Why“, “When“ and “Where”, as follows:
 
• Who - who’s data is being held by the organisation?
 
• What - what data is being held by the organisation?
                                    
• Why - why such data is being held?
 
• When - how long such data is being retained for?
 
• Where - where such data is being held or stored?

Once the answers to the above questions are gathered, this will assist organisations in determining what steps they need to take in order to become compliant, including identifying what processes, procedures and policies need to be implemented.

2. Transparency – update privacy notices

Transparency continues to remain the cornerstone of data protection in the GDPR. The GDPR significantly increases the amount of information that must be provided to individuals about how their data will be used.
 
Organisations will need to update their privacy notices in order to ensure that such notices include all the information now required. This information includes contact details for the data protection officer (where applicable), the legal basis for processing the individual’s data, the data retention period (or the criteria used to determine that period) and details of any non-EEA data transfers (and the adequacy/safeguards adopted in respect of such transfers). 
 
In addition to updating the privacy notices to include the additional information, organisations will need to ensure such notices are clear, concise and easily accessible for individuals.

3. Update third party contracts

Existing third party contracts with data processors (e.g. service providers) that process personal data on behalf of organisations should be updated to reflect the new contractual requirements set out in the GDPR. While a binding contract is required under the current data protection legislation, the GDPR is more prescriptive in terms of what contractual terms must be contained in such a contract.
 
The GDPR now imposes greater obligations on data processors generally and it provides for specific obligations on data processors in respect of security obligations and data breach notifications. In addition, the GDPR explicitly provides that such data processors will need to ensure that any sub-processor engaged by the processor is subject to the same obligations as the data processor.
 
Organisations should also be aware that given the heightened obligations imposed on both data controllers and data processors, the conclusion of such data processing contracts are unlikely to be as straightforward as they previously may have been as both parties will now likely want to limit exposure as much as possible. As such, organisations should seek to begin this process without delay.

• Marie McGinley
• Partner
• +353 1 6441 457
• +353 1 6441 457

< Go back