As we were saying some weeks ago, next month European data protection rules will see their biggest change in two decades. The laws that govern how people's data must be handled were drawn up in the 1990s and differ a lot across countries in the EU. A lot has changed since then, because huge amounts of information are currently generated each day, and everything from computers to mobile phones collect this kind of data that make us identifiable.
All companies dealing with personal data are ensuring they fulfill their obligations and maintain transparency during the whole data collecting process. So what steps should you follow to comply with the GDPR?
Once you learn the GDPR guidelines, you need to plan how to implement those measures. Here is a to-do list with some points you will have to work on:
- Update your Terms & Conditions
You will have to include a Data Processing Agreement to comply with the strong data protection commitments that are a key part in the GDPR. In this document you must share your data privacy commitments and set out the terms that regulate the relationship between your company and your customers to meet GDPR requirements.
You can expect to find a Data Processing Agreement template soon at the Direct Marketing Association’s site when they update their existing one, and probably the ICO will later on provide model terms and statement for use in data processing contracts too.
- Take the necessary security measures
You should have a robust security framework complying with International standards (SOC2, CSA and Privacy Shield). We also strongly recommend reviewing your internal access design, to ensure the right people have access to the right level of customer data.
- Build new features
You will probably need to build new features to, for example, let your customers delete all data linked to their accounts in an easy and complete way.
- Appoint a Data Protection Officer (DPO)
Data Protection Officers oversee and advise on the organizations’ data management. According to the ICO, appointment of a DPO is mandatory if:
- the organization is a public authority
- the organization’s core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking), or
- the organization’s core activities consist of large scale processing of special categories of data, or data relating to criminal convictions and offences
This applies to both controllers and processors.
- Coordinate with your vendors
It wouldn’t hurt to review all your vendors, find out about their GDPR plans and arrange similar GDPR-ready data processing agreements with them.
- Certify for International Data Transfers
To comply with EU data protection laws around international data transfer, you can self-certify under the EU-US Privacy Shield framework, which is negotiated and agreed by the European Commission and the US Department of Commerce as a lawful way of transferring personal data. It replaces the International Safe Harbor Privacy Principles.
- Map out everywhere you process data right now and take action
Bitext can help you meet your data anonymization requirements for GDPR: you can easily integrate our multilingual technology within your pipeline and ensure GDPR compliance seamlessly. To learn more about the anonymization process and how it works, simply download the whitepaper below.
Do you have any questions about these steps? Feel free to send us a message or leave a comment and we'll be happy to answer them.