Businesses typically ask us to perform GDPR adaptation for them. Indeed, every European business processing personal data should complete GDPR adaptation by May 2018. But what does such a GDPR adaptation really comprise?
The honest answer is that it will depend on the business in question, but such an answer is not very helpful. Indeed, GDPR adaptation will look very different in case of a multinational wholesaler who despite its size only processes employee data, and a tech startup with five employees who gathers data from consumer IoT devices. Still, there are some topics in the GDPR every business should pay attention to when preparing for the big change in regulation.
Data processing consent and policies
You are very likely to rely on consent for data processing operations that go beyond the performance of contracts or managing basic employment relations. And the standards for consent to be valid are getting stricter as of May 2018.
Hiding consent text in long Terms and Conditions, or conditioning service performance with giving away excessive personal information may prevent consent from becoming valid. Plain language will have to be used instead of complex legal terminology. You may have to go broader than just consent statements though, having to update your entire data protection and privacy policies.
GDPR adaptation may not always require immediate action but may instead require your business to have in place adequate processes that would need to be triggered under certain circumstances.
The first such process is data protection impact assessment required in case of those new types of data processing in particular using new technologies where, taking into account the nature, scope, context and purposes of the processing, the processing is likely to result in a high risk to the rights and freedoms of natural persons.
The second process relates to data breach where you should have a procedure in place in case a data breach occurs – of course hoping such procedure would never have to be used.
Appointing Data Protection Officer
Not all the entities will require a Data Protection Officer, however, the size of the company or the number of employees alone might not provide for a good guidance whether you require one. The standard is that your “core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”.
‘Monitoring’ may refer to say the analytics relating to your app or website users, or regular visitors to your shops using a loyalty scheme. Monitoring does not need to be carried out by means of intrusive forms such as video surveillance in order to qualify as such.