Good Data Governance is an asset
Since 25 May, the CNPD in Luxembourg, as well as the CNIL in France and independent state entities in charge of privacy monitoring, have been able to verify the compliance of companies and sanction them. Unfortunately for many organizations, the GDPR project is far from complete and for some, it has not yet begun.
Where and how to start? What are the best practices? What are the first steps in case of a crisis?
Several important steps remain essential in bringing the GDPR into compliance.
First and foremost, it is important to review subcontracts. Companies must recast the various contracts of their subcontractors and verify that they correctly comply with specific security obligations, such as keeping the processing register, guaranteeing the security of the data processed, traceability, transparency, etc. It is important for each company to draw up a specific contract for each subcontractor.
In addition, it is important to define risk mapping. It must be both dynamic and always in motion. This means that data processing must be defined by a dynamic process and more generally by an automated system. Companies must learn to manage their data, in general it is a global data management. This data governance must be shared
by all departments of the company. The GDPR appears to be an opportunity to set up a global governance process.
In order to comply, it is necessary to start by developing an impact assessment (IAP) adapted to the context of each organization. This analysis allows each structure (companies or institutions) to describe the data processing, to assess the risks to the rights of the data subjects (e.g. in the case of the installation of video surveillance cameras in the workplace, the employer must inform the employees), to provide evidence of compliance with the rights of the GDPR, etc.
In order to comply with the GDPR, risk management must also be anticipated. The implementation of the GDPR covers legal, technical, organisational and communication aspects. Financial sanctions and compensation for damage are an important part of the Regulation, which is why this point should not be underestimated. The major risks identified so far are mainly: the lack of preparation of the controller and the processor, the lack of coordination, the lack of preparation of external teams. To avoid these risks, we advise you to undertake 5 reflexes: the legal qualification of the facts, the declaration of insurance, the
analysis of the subcontracting contract, the management of evidence and the filing of complaints.
Technically, there are several steps to manage the risks: analyze the situation, take emergency measures, document each intervention, adapt technical measures to avoid recurrence.
As for the communication part, it is necessary to show empathy, transparency and of course to offer compensation to the victim of the damage.
Finally, it is necessary to prepare for a possible control of the CNPD/CNIL. They can carry out an on-the-spot check, on documents, on hearing or online. This is why in the event of an audit it is necessary to define a GDPR audit committee bringing together the DPO (internal or external), the CIO, the DJ and the director of the GDPR project. It is important for each organization to ensure that sanctions (if they were to be indicated) are the least harmful to it. Being cooperative and transparent will only facilitate control.
If your company has still not started or completed its compliance with the GDPR, don’t panic. OpenField, an expert in this field, offers you the advice and skills to support you in this compliance process.
To find out more about OpenField’s approach, contact our experts today.