The GDPR will have serious impact and all stakeholders and decision makers must be made aware to set things in motion.
Start building a Data Stream Map and document all (personal) data processed within your Data Infrastructure.
Use your Data Stream Map to update your privacy statement with all data processing and explain the legitimate basis for the data processing.
Review if your organization is equipped to handle the rights of the subject. Start early, they propose a serious challenge for nearly all tools, systems and non-digital (dark) data.
Assess all personal data processing and document the legal basis for every operation; legal obligation, legitimate interest, explicit consent, etc.
Review and document the ways you ask, receive and registrate consent. As a result you should be able to demonstrate that the data subject has given consent.
Make sure the processes and responsibilities are clear and everything is in place to swiftly and correctly mitigate data breaches.
Get familiar with the principles of data protection by design, by default, and privacy impact assessments.
Appoint a Data Protection Officer, who will be responsible to uphold the GDPR within the organization and also acts a representative towards the authorities.
When your organization is internationally active you need to determine the leading authority.
Review all contracts and data processing agreements your organisation has with it’s processors and sub-processors and what amendments are required.
Data governance is not a one time exercise. All eleven previous steps must be a continuous part of your data operations and the requirements, should be gathered in a Data Governance Rule book.
Seems interesting, right? Don’t bother to contact us.