Eight rules of thumb for data protection

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. It goes live in less than 227 days, on May 25, 2018. Here are my eight rules of thumb to assist you with your GDPR compliance project . 

1) Check what you collect and why you process personal data

Only collect information that you need for a specific and explicit purpose and do not use it for any other purposes without new consent from the data subject. Remember that employee data is also personal data.

2) Ensure that you are entitled to process personal data

Unless processing is necessary for the performance of a contract to which the data subject is party, remember to ask for specific consent. Follow the rules for sensitive personal data, direct marketing and usage of cookies. Data relating to children requires special considerations.

3) Be transparent

Identify yourself and inform data subjects in plain and simple language on your processing. Draft descriptions of personal data files and allow access to them on request, complement them with clear privacy policy. Provide data subject an opportunity to verify and correct his/her information himself/herself or be prepared to provide that information to the data subject upon request.

4) Take care of security and access rights

Ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.  Maintain log files for processing.

5) Minimise and maintain personal data

Ensure that personal data is minimised, accurate and kept up to date. Use pseudonymes and anonymise data, when possible. Only hold as much as you need, and only for as long as you need it.

6) Be careful with processors and transfers

Be careful when using third parties to process personal information. Make clear written agreements with them on personal data processing. Ensure that you have the right to transfer data across borders (especially outside EEA).

7) Plan and document personal data processing and provide training

Plan and document your personal data processing and processes and review them regularly. Conduct impact assessment and appoint data protection officer, if required. Appoint somebody to be responsible for data protection issues even if you would not need to appoint a data protection officer. Train your people (and partners) on your policies, processes and regulations relating to data protection.

8) Be prepared for personal data breaches

Notify the supervisory authority without undue delay of any personal data breach after becoming aware of it. Inform data subjects when required.