The EU General Data Protection Regulation (GDPR) has made the biggest “shake-up” in the area of security and privacy of personal data over the past 20 years, blah, blah….

You probably know this already and must be thinking right now: ‘’Just tell me what I have to do, man!’’

So, let’s keep it simple and ‘’on point’’!

From our experience in the past 15 months of doing GDPR compliance advisory, we came to the following conclusion –  first and foremost, people are genuinely interested to know the following.

 

Am I under the regime of the GDPR?

Your company can qualify as a data controller or data processor, or both.

A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

 

What are the critical points of conflict between my business and the GDPR?

Basically, this is where you need to start.

In order to successfully identify your exact exposure to the GDPR regulatory framework, our recommendation for you would be to start with a GAP-Analysis which would provide you with the necessary information based on which you can decide to enter into the implementation phase of the project.

 

What do I have to do to be GDPR compliant?

GDPR impact assessment

Identifying your exposure as well as defining your status under the new rules. Depending on your role under the GDPR and requirements you would have to meet we are providing you with the heat map of the main areas you need to focus on when preparing yourself to comply with the new data protection regime.

 

Legality of the processing

Ensuring you use the right legal basis for the processing of personal data you are involved in, and that you are aware of the related regulatory requirements you are required to meet.

 

Privacy by design & privacy by default

Assisting you in setting up the new or adapting the existing methods of the processing of personal data in such way which ensures that your activity meets the highest recommended standards for proper processing of the personal data under the GDPR.

 

Documentation

Adapting existing and preparing new additional documentation you need in order to meet relevant requirements regarding the disclosure of the relevant information under the GDPR as well as requirements on the internal documentation and record keeping.

 

Rights of the data subjects

Informing you about the rights of the persons with respect to which you are acting as the processor or controller of the personal data as well as advising you on the necessary steps that you will be required to make in order to ensure that the data subjects can enforce their by law guaranteed rights without undue delay or unnecessary complications.

 

Third parties and your relations with them

Depending on your role under the GDPR you might be required to meet some additional requirements regarding your relations with the third parties that get in touch with the personal data you are processing or controlling.

 

Data breaches and cybersecurity

Advising you on the relevant regulatory requirements that you need to meet regarding the security of the personal data you are processing as well as on the steps that you need to make when coping with the data security issues involving data breaches.

 

Post-implementation monitoring and assistance

Provided that you decide to make some changes to your existing methods of the processing of personal data we can provide you with the professional assistance regarding any questions that might arise in that process by keeping you and your organization in compliance with the GDPR.

 

How can I make the changes as ‘’painlessly’’ as possible (without severely affecting my business model)?

Well, it all depends on the business model of the company.

We like to say that there are:

(1) companies in the red zone

(2) companies in the yellow zone and

(3) companies in the green zone when it comes to GDPR compliance.

Companies that are in the red zone have business models that are, in their core in conflict with GDPR and very often this can be a showstopper for their business operations. Companies that are in the yellow zone have to adjust some parts of their business model to be compliant with the Regulation and, on the other hand, there are companies that implement the necessary privacy mechanisms without tampering with their business and they are good to go!