The key to a good data protection program is to be meticulous and follow the steps below.
However, we must remember that organizations are changing entities, so the real success in carrying out a data protection program will be to keep track of it, in order to always keep it updated. For example, if the employees of a company need to know which people have access to personal data, this knowledge should been updated every time a new person joins the company. In this way, the authorities can be focused on the clarify responsibilities if a security breach occurs. It is not enough to update the data protection program once a year, it should be modified periodically.
Therefore, the steps described below require been done cyclically:
1.Be aware of the activities carried out by your company
As a data protection consultant, it is essential to deeply know the company to which you are going to carry out the compliance program.
You should know the activities that they perform in order to know how personal data is treated. For example, a hospital does not own the same data as a community of owners does: in the first case a large amount of data will be treated, including specially protected data such as health data, while a community of owners treat less personal data and it isn’t so sensitive.
2.Analyze existing risks
An analysis of the risks that may affect the treatment activities should be carried out in order to provide security measures to each risk scenario.
It is essential to correctly identify what measures should be applied, being consistent with the size of the company, and the risks that have been identified. The measures implemented must be preventive, containment and corrective, being able to differentiate between technical and organizational measures.
3. Analyze the requirement to designate a DPO
The GDPR requires the need of a DPO in the cases established in art. 37:
- If the treatment is carried out by a public authority.
- When the main activity of the organization implies habitual and systematic observation of large-scale stakeholders.
- When the main activities of the organization consists in the large-scale treatment of special categories of personal data.
4. Identify the companies that provide services and have access to data
Another very important point to ensure the security of processing is to identify which companies or organizations provide services and access to data, in order to categorize them as data processors, recipients or assignees.
Identifying these companies will also help to define whether or not there are international data transfers and if the guarantees that allow data transfer outside the EU are applied.
5. Inform those interested
The most important obligation found in the Regulation is to inform data subjects about the processing of their data. This obligation must be carried out at the time of data collection.
The need to report on commercial communications or on data collected online is especially relevant. A good practice for a successful data protection program is to inform through a double layer: give a first layer of basic information and include a link with the additional information. In this way, even when the user does not access the second layer, he will have an overview of the basic information.
6. Give a good training to the company and employees
Finally, one of the crucial points for the company or organization to comply with data protection is to train all the people who are part of it so that they know how they should treat the data, how to act in a security breach or how to manage a rights request.
A good data protection program must be complete and cover all the obligations imposed by the regulations as well as ensure all the rights of people. All this materializes in the steps we have seen before, which should be repeated periodically.