10 step preparation process

1. KNOWLEDGE

It is important that key employees and directors are aware of the upcoming changes and realize it magnitude, including the authority’s greatly increased permission to process fines.

2. PLANNING

Companies need to be aware the costs associated with the changes and how time consuming they might be.

3. DATA PROTECTION OFFICER

Companies and organizations need to evaluate whether they need to appoint a Data Protection Officer which will be responsible for monitoring compliance with the new legislation. It may be necessary to train an existing employee, add a new employee or to hire an external contractor.

4. DATA PROTECTION AUDIT

Companies and organizations should map their processing of personal data and analyze whether the processing fulfills the personal data legislations and in what way the processing needs to be changed or adjusted to meet the new legislation.

5. LAWFUL BASIS FOR PROCESSING

Processing of personal data must always be lawful. Where personal data is processed on the grounds of consent, the consent must fulfill the strict obligations presented in the new legislation, otherwise a new consent needs to be provided for future processing.

6. ROLE AND RESPONSIBILITY

Companies and organizations need to realize whether they process personal data as data controllers or data processers and whether their responsibility increases with the new legislation.

7. RIGHTS OF DATA SUBJECTS

According to the new legislation, data subjects have extensive rights. Companies and organizations need to be aware of these rights and implement procedures including how requests will be handled within the timeframe set forth in the regulation and how personal data will be erased.

8. SECURITY BREACH

In the light of the notification requirements of security breaches, to The Data Protection Authority and possibly the data subjects, procedures must be implemented to ensure that companies and organizations respond quickly and according to the legal requirements put forth in the regulation.

9. DATA PROTECTION BY DESIGN

Companies and organizations that develop and design IT software and applications will have to study the rules on data protection by design and adopt them in to the developmental process.

10. INTERNATIONAL BUSINESS

International companies must realize which supervisory authority the company will answer.

Prospective clients who would like to learn more about this practice area are invited to contact the below listed partners.

Hjördís Halldórsdóttir
Áslaug Björgvinsdóttir, CIPP/E