Checklist: How to prepare your organization for the EU’s new General Data Protection Regulation (GDPR)

On May 25, 2018, the EU’s new General Data Protection Regulation (GDPR) goes into effect. “There are a number of questions organizations must ask themselves – and be sure to answer. Penalties of up to 4% of sales are nothing to play around with,” says Daniel Hjort, business developer at identity and security company Nexus Group.

GDPR applies to all organizations managing the personal information of EU citizens.

“The purpose of the new rules are to protect individuals’ privacy. Some laws also aim to make it easier for companies and organizations, but that is unfortunately not the case with GDPR,” says Hjort.

Moreover, it is not easy to grasp what the rules really mean for an organization since the law is extensive, complex, and contains a number of exceptions, according to Daniel Hjort.

“It is time for all organizations to begin to familiarize themselves with this law and its consequences. Most will probably come to the conclusion that living up to the new requirements is a greater challenge than apprehended,” says Hjort.

The main points of the new regulation, according to Hjort:

  • Availability

All individuals have the right to access the information your organization has registered about them.

“And it is up to your organization to ensure that you do not give out information to the wrong person when you receive a request,” says Hjort.

  • Traceability

Your organization must be able to show what has been done with the information.

“You must also be able to demonstrate both who has seen it and who has had access to it,” says Hjort.

  • Consent

Your organization must always receive approval from the people you want to record data on.

  • Transparency

It must be stated in plain language how your organization uses personal data.

Read our guide How to prepare for the GDPR – and turn it from foe to friend                                                  

  • Portability

The individual always has the right to request that the information you have registered is handed over to another party.

“The aim is to make it easier for individuals to switch suppliers. This gives your organization the opportunity to win customers from other suppliers, while at the same time risk losing customers to others,” says Hjort.

  • Correction

The individual has the right to have inaccurate information about themselves corrected.

  • Removal

The individual has the right to be removed from your records. This applies even if the person previously authorized the storage of personal data.

“And it’s not enough just to remove the information – you must ensure that there are no traces left behind,” says Hjort.

Questions all organizations must ask themselves – and be sure to answer:

  • Do we have insight into the compensation levels that are associated with non-compliance?
  • Does every part of our organization have the legal basis for the collection and use of personal data?
  • Do we have procedures in place to be able to inform affected individuals and the supervisory authority within 72 hours after a data breach?
  • How do we make sure we do not collect more information than necessary and that we do not save it for longer than necessary?
  • How do we ensure that data collected for a specific purpose is not used for anything else over time?
  • Is there a process in place to give individuals access to their information when they ask for it?
  • Is adequate information security in place to protect the personal information we have registered?
  • Are we sending sensitive personal data in unencrypted emails, and if so, how can we transition to a more secure form of communication?
  • How do we handle the demands of cross-border data transfers?
  • Are we handling personal data on behalf of other organizations, and if so, are we adhering to the obligations this entails?
  • Do we have a process to delete personal information when individuals request it?
  • Have we put aside enough budget to meet all the new requirements?
  • Have we appointed a data protection officer and planned for their education?
  • Do we also need an assistant data protection officer who can help our data protection officer make sure we follow the law?

Technical solutions that can help your organization follow GDPR:

The basic condition for the safe handling of personal data is the same as for all other security: trusted identities. If you do not know who or what you are dealing with it, does not matter how reliable your safety mechanisms are.

“Therefore, step one is to have a solution in place that allows you to maintain proper control of the identities of your employees as well as your customers, citizens, members and partners,” says Hjort.

Step two is to make sure your organization has the technical solutions in place to:

  • Give your employees and partners the right access to personal data

Not everyone should be able to see and do everything.

  • Offer customers, citizens and members the opportunity to interact with you in a safe way

All individuals should be given the opportunity to log in and identify themselves safely.

“User names and passwords are often not good enough. With technology for secure login, you can let the individuals themselves see what information you have stored about them, instead of them having to contact you to ask you to disclose data manually. You can also save time and reduce costs by offering digital signing for requests to remove personal data,” says Hjort.

  • Communicate with encryption
  • Instate traceability

You must be able to report changes in personal data and give information about who has done what and when.

Read our guide How to prepare for the GDPR – and turn it from foe to friend                                                  

Published 20 December, 2016

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At Technology Nexus Secured Business Solutions AB, corp. ID no. 556258-0414, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.