What companies must do to operate in line with the GDPR?
A number of actions and measures are needed to operate an organization (Data Controller or Data Processor) in line with the Regulation, which at a minimum should be implemented. These are:
- Conduct Data Protection Impact Assessments (PIA)
- Maintain appropriate data security
- Institute safeguards for cross-border data transfers
- Implement “Privacy by Default” and “Privacy by Design”
- Take responsibility for the security of third-party (Data Processors)
- Get appropriate consent for most personal data collection and provide notification of personal data processing activities
- Get a parent’s consent to collect data for children under 16 years old
- Appoint a Data Protection Officer (if you regularly process lots of data, or particularly sensitive data)
- Notify data protection authorities of data breaches
- Keep records of all processing of personal information
- Consult with regulators before certain processing activities
- Be able to demonstrate compliance on demand