10 step preparation process
It is important that key employees and directors are aware of the upcoming changes and realize it magnitude, including the authority’s greatly increased permission to process fines.
Companies need to be aware the costs associated with the changes and how time consuming they might be.
3. DATA PROTECTION OFFICER
Companies and organizations need to evaluate whether they need to appoint a Data Protection Officer which will be responsible for monitoring compliance with the new legislation. It may be necessary to train an existing employee, add a new employee or to hire an external contractor.
4. DATA PROTECTION AUDIT
Companies and organizations should map their processing of personal data and analyze whether the processing fulfills the personal data legislations and in what way the processing needs to be changed or adjusted to meet the new legislation.
5. LAWFUL BASIS FOR PROCESSING
Processing of personal data must always be lawful. Where personal data is processed on the grounds of consent, the consent must fulfill the strict obligations presented in the new legislation, otherwise a new consent needs to be provided for future processing.
6. ROLE AND RESPONSIBILITY
Companies and organizations need to realize whether they process personal data as data controllers or data processers and whether their responsibility increases with the new legislation.
7. RIGHTS OF DATA SUBJECTS
According to the new legislation, data subjects have extensive rights. Companies and organizations need to be aware of these rights and implement procedures including how requests will be handled within the timeframe set forth in the regulation and how personal data will be erased.
8. SECURITY BREACH
In the light of the notification requirements of security breaches, to The Data Protection Authority and possibly the data subjects, procedures must be implemented to ensure that companies and organizations respond quickly and according to the legal requirements put forth in the regulation.
9. DATA PROTECTION BY DESIGN
Companies and organizations that develop and design IT software and applications will have to study the rules on data protection by design and adopt them in to the developmental process.
10. INTERNATIONAL BUSINESS
International companies must realize which supervisory authority the company will answer.