Where Should Organizations Start With The GDPR?
Organizations should start by finding a lawyer who knows the GDPR and can help them run a privacy audit and create written policies with consumer facing notices. You can find an attorney who is a certified information privacy professional in EU. You should start by asking what actions you must take in order to be GDPR compliant.
It comes down to being certain that at every stage, the personal data of these subjects is being processed with respect and concern for the risk to that data subject. If you do that and keep a written policy in place that reflects that that’s what the company does, you reflect all of that to your consumers, and you identify to consumers the basis on which you’re processing their information, you will be complaint. The GDPR lists which information can be lawfully processed, so a company needs to identify which one applies to them and then state that in their policy.
Who Should Oversee The Privacy Compliance Program?
The GDPR also requires that companies of a particular size have a data protection officer. With the way the GDPR describes what a data protection officer is, I suspect that there aren’t enough people on the planet who actually meet all of those requirements to act as data protection officers. We’ve definitely created a new area of employment that is going to take a long time to fill. If your company has a data protection officer, they’re the ones who should be in control of privacy compliance. If you don’t have one, there should be one person who is reasonably informed about what the requirements are, who is approved by management and answers to management directly but has the ability to stand up against management, if management doesn’t want to comply. You need someone with a certain amount of independence.
Do Many Entities Outsource Part Of Their Compliance? What Are The Advantages Of Doing So?
There are data protection officers who freelance for a number of different companies at once. I would be careful engaging anyone who is not a certified information privacy professional because it’s a new area of law and we don’t necessarily know if they’re all trustworthy. You would want to know some of the other companies that they had worked with and be able to get referrals to verify that officer’s trustworthiness and competence. If the data protection authorities come knocking, you’re not going to be able to blame everything on your third party agent. There are also a lot of software products and companies now who are designing software or other products specifically around helping companies comply with these things.
You need to have a close relationship with any agent who handles your privacy practices and make sure that they’re regularly reporting to you to make sure that that you understand them and what they’re doing. I think it is better if you can have someone in-house but that’s a major expense that maybe isn’t necessary for a very small company. If you’re working in big data or start collecting thousands of records and putting them in different places, it’s definitely worth considering bringing someone in-house to handle that.
For more information on Business Organizations Starting With GDPR, an initial consultation is your next best step. Get the information and legal answers you are seeking by calling (615) 802-9119 today.