When seeking to get compliant with the GDPR, any person processing personal data should carry out the following actions:
1. Identification of personal data processing activities
data processing mapping (audit)
record of processing activities (where required)
identification of high risk processing activities
2. Corrective actions and DPIA
- taking any necessary corrective actions to ensure identified data processing acitvities comply with the data protection principles.
- Where the processing activity may result in a high risk, conducting a data protection impact assessment (DPIA)
3. Data Protection by default and by design
- implementation of technical and organisational measure in order to ensure existing and future data processing activities are identified from the outset, reviewed regularly and compliant with the GDPR requirements at all time (see here for more details about data protection by default and by design)
4. Security and data breach
- ensuring/checking the right level of security of personal data is in place (e.g. access management, encryption etc.); and
- implementation a personal data breach procedure in order to, where required, notify both the supervisory authority and the concerned individuals in the occurence of a data breach.
5. Privacy notice
- providing a privacy notice to individuals and where necessary obtaining their consent before processing their information (click here fore more information about the content of a privacy notice)
6. Individuals’ rights requests
- implementation of any necessary technical and organisational measures (e.g. procedures etc.) in order to handle individual’s rights requests in line with the GDPR requirements (e.g. right of access, data portability, erasure, right to object etc.)
7. Relationship with third parties
- reviewing and/or entering into data processing agreements with third parties (including entities of a same group companies) processing personal data on behalf or jointly with your company.
- international data transfers: implementing adequate guarantee when data are sent to third parties outside of the European Union (e.g. BCR, EU model clauses…)