GDPR – The Work Ahead

An essential ‘GDPR To Do’ list for the months ahead looks as follows:

• Nail the basics – As regulatory guidance on some of the essential aspects of the law – from its extra-territorial applicability to the lawful grounds for processing – continues to pour in, determining the appropriate legal basis for the use of personal data has become an absolute priority. Regulators expect nothing else than a solid foundation matched by a wholly transparent approach through a crystal clear and comprehensive privacy notice.
• Meet individuals’ demands – After the initial influx of data subjects’ requests in the early days of the GDPR, the pace of requests seems to have taken a ‘business as usual’ level. However, since EU data protection law is still primarily about putting people in control of their data, dealing with any requests from individuals seeking to exercise their rights under the law should always be a top priority.
• Adopt a credible Data Protection Impact Assessment (‘DPIA’) strategy – Of all the new accountability requirements in the GDPR – aside from the role of the data protection officer – carrying out DPIAs is likely to be the single most important contributor to ensuring compliance with the law. For this reason, regulators often seek to understand how organisations are deploying DPIAs and dealing with the outcomes of this practice.
• Engage with the regulators – One of the most significant features of the GDPR from a practical compliance perspective is its enforcement arrangements. Central to this is the One Stop Shop system of supervision, which gives a single regulator full competence to oversee the pan-European data processing activities of an organisation. This approach is still compatible with the multi-country data protection authorities and as a result, a well-thought out strategy for regulatory engagement will be essential for many organisations.
• Prepare for data security incidents – 72 hours to decide whether to report a data security incident is a very short timeframe. Experience shows that the most sensible way of dealing with the inevitable incident is to be ready for it and, particularly, to know how to assess the possible risk for individuals in order to determine whether to report it and if so, how.
• Legitimise global data flows – One of the unintended consequences of Brexit has been to highlight once again the importance of legitimising international data transfers. This is not a new issue but adopting a workable and future-proof strategy to enable global data flows is a must. For many organisations this may start with intra-group agreements and evolve towards BCR, but whatever the mechanism used, it should be kept under review.

Ultimately, the key point to remember is that meeting the GDPR’s requirements is an ongoing endeavour. One could never regard it as a job done. Having adopted a GDPR compliance programme, organisations need to keep it alive without ever losing focus of what matters most and how the law is evolving. Complete certainty might be an unachievable goal but being alert to the practical priorities and getting on with the work will go a long way.

This article was first published in Data Protection Leader (May 2019).

Authored by Eduardo Ustaran