On 16 March, Acolad and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens - AP) hosted the half-day workshop called Get your business ready for GDPR.
During the workshop, a group of 30 business executives from the Eindhoven area and two senior advisors from AP discussed the most important practical impacts the European Union’s new General Data Protection Regulation (GDPR) will have on organizations. This blog describes the key takeaways from the event to help companies prepare for GDPR before it is implemented and enforced on 25 May 2018.
1 – Accountability
A key principle of the new GDPR regulation is increased accountability of organizations. Every organization must document its processes or systems that manage privacy-related information. Additionally, privacy-related information classified as “high risk” (such as children’s personal information) must be proactively reported to the data protection authorities.
This means organizations need to describe and analyze every system that deals with privacy-related information (likely most systems in big corporations). For example, if a company has 1,000 different applications, it must assess all of them, determine if any privacy-related information is stored within them, determine if explicit permission to store the information has been obtained, define the duration for which information can be stored and decide if any additional measures must be taken to comply with the GDPR. If any system contains “high risk” privacy-related information, a privacy-impact assessment is also required.
2 – Physical archives
Another interesting point discussed during the workshop was the role physical archives play in relation to the GDPR. Many organizations still have paper archives, which could fall under the GDPR rules. For example, if an organization allows its employees to retrieve documents containing privacy-related information from a paper archive and makes that information available for use, those documents will have to adhere to the GDPR. This means organizations need to have a process in place to redact those documents and remove any privacy-related information.
3 - Acceptance testing
There are still a lot of companies that use production data in their acceptance systems to simulate the circumstances in production. The GDPR presents two challenges to this: First, organizations can only request, store and use personal information for executing the company’s core business processes which . The question is if acceptance testing is part of this companies’ core business processes. Second, enterprises must determine if they received explicit consent from customers authorizing the use of their personal information for testing purposes in an acceptance system. If so, the acceptance system must be protected with the same security and retention periods as the production system.
4 – Local implementation
Every EU country’s local legislation needs to detail specific GDPR implementation guidelines. For example, in the Netherlands this legislation is called Algemene Verordening Gegevensbescherming. It may take another couple of months before we know more about how the Netherlands and other countries will locally refer to and enact the the European GDPR.
Prepare for GDPR implementation
As a first step to prepare for the GDPR, organizations should start conducting their Privacy Impact Assessments (PIAs) and detail where they store privacy-related information.
Acolad can help your organization optimize and secure its personal information workflows, keep a record of potential data leaks and maintain all documents that must be submitted to the Data Protection Authority.
Updated