Preparation and to-dos

What to do in the preparatory phase?

Achieving GDPR compliance is a long and multi-step process that requires time, resources and expertise, and may bring about significant changes within your organisation.

Exploration:

  • What kind of data processing activities are carried out?
  • For what purposes?
  • What personal data are involved?

Investigation:

  • What obligations need to be fulfilled in relation to the individual data processing activities (definition of the scope)?

Review:

  • What modifications are necessary in current contracts, data processing policies and notices, information systems, organisational measures, processes, etc. to ensure compliance?

Data processing and protection

  • Regulating the use of, and access to, personal data;
  • modifying or preparing contracts, notices and information documents;
  • establishing security (IT, organisational, etc.) controls for the prevention, detection and management of risks and incidents;
  • redesigning data protection, information security and IT systems;
  • keeping the necessary records and registers, sending requests for data, incident reporting (drawing up an action plan).

What are my duties as an employer?

As an employer (i.e. controller), you primarily have to perform the duties listed above in connection with your employment contracts, labour standards policies and contracts entered into with processors (e.g. recruitment agency, payroll accounting firm).

In addition, it is necessary, for example, to:

  • Develop model answers to possible requests for data and information;
  • ensure the security, timely availability and searchability of personal data using IT tools;
  • organise data protection training sessions for employees;
  • create and keep a data protection register.

What happens if, for any reason, you were not prepared for GDPR by 25 May 2018?

The Regulation entered into force on this date without any “grace period”, and therefore you had to be immediately prepared for its application.

Obviously, at first there will be interpretation and practical issues, but it is not a valid argument that you failed to prepare.

The Regulation allows for SMEs to be fined on the very first occasion when an infringement is detected, with no first warning.