The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. Within the implementation guidelines of the GDPR, there are different types of operations to consider. Here, we will discuss proof of compliance.
As a DPO or Security Officer, you need to be able to perform 2 main tasks:
- Prove your GDPR compliance
- Respond to potential requests from Data Subjects.
Without smart and secure (software) tools, achieving this requires a huge effort. Tools as described in our posts 'Personal Information Identification' and in 'Continuous Operations - Identification' are a real cost/risk-reducing aid.
Prove your GDPR compliance
In order to cover your GDPR compliance, you need to have ready:
- Towards employees:
- Proof of informing your co-workers on GDPR in general
- Extension to the labour contract or employee work rules
- Towards suppliers:
- Data Processing Agreement
- Annex to freelance contracts
- Annex to management contracts
- Towards Data Privacy Authority (when requested):
- Documented privacy-related decisions
- Documented Processing Register
- Documented security measures in IT systems (security by design/default)
- Up-to-date Usage Register
- Up-to-date Data Breach Register
- Towards Data Subjects:
- Proof of informing them on Personal Data, purpose and legal base
- In-time responses to requests
Responses to potential requests from Data Subjects
Under articles 15 to 22 in the GDPR, Data Subject Rights are listed as:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Notification obligation on previous 3
- Right to data portability
- Right to object profiling or automated decision-making
It is recommended that each of these requested rights, corresponding actions, and the related communication are registered in a system.