GDPR series part 5: the action guide part 2

The European Union General Data Protection Regulation (GDPR) will come into force throughout the European Union and European Economic Area on May 25th 2018. This six-part guide will explain the new law, and what businesses need to do to be compliant. The last article contained part one of the action guide, it will be completed in this section.

Part one of the action guide covered the first six steps businesses should keep in mind as GDPR approaches; which included reviewing current data stores and how incoming data is collected, ensuring easy opt-out, encryption capabilities, the use of data processors, and transfer to countries outside of the union.

Continuing on, below are five further action items organisations should consider before GDPR:

  1. Deleting data

GDPR states that data should only be kept while needed and removed thereafter. Additionally, users can at any point demand that their data is deleted. As such, the data controller should have a procedure in place for complete data removal. This may sound easy, however, data can easily be shared between systems and the organisation needs to be sure that the data is removed from all systems simultaneously, and that the process of automatic syncing doesn’t bring the data back.

  1. Action on data loss

The controller needs to have a comprehensive action plan for when a data loss incident occurs. This plan needs input from many parts of the organisation, including legal, compliance, finance, marketing and HR, in partnership with IT. The following are essential items that should be considered in a data incident response plan:

  • Identification: IT needs to be alerted so that it can stop any data beach in progress and communicate the details, including how the leak occurred and impact, accurately to the rest of the organisation. Businesses must have technology that can identify data breaches via whatever means; hackers, infected machines, lost credentials, sharing of information on unsafe cloud services etc.
  • Outside communication: when and how an organisation informs authorities, data subjects and, where necessary, the wider public. The data controller has 72 hours to notify the supervisory authority, unless “the data breach is unlikely to result in risk,” i.e. the data has been encrypted. Businesses should plan to reach affected customers via multiple channels – phone, email and social media – and increase resources in call centres to deal with the rise in customer calls. The message conveyed to subjects should reflect breach severity, a reminder to organisations that not all data has the same value
  • Process changes: more medium- to long-term, but once the cause of the leak has been identified, controllers need to amend processes. For instance, keeping financial or other sensitive data away from employees to whom it isn’t business critical.
  1. Maintaining records

GDPR discusses the data controller’s responsibility of keeping accurate records of data processing. In an investigation, the supervisory authority can ask when each record was inputted into the system, where it came from, evidence that the user accepted terms and conditions and what the data will be used for. Additionally, authorities can request the data controller’s data retention policy, data transfers to third parties (including cloud services), and data safeguarding processes.

It’s imperative to note that fines imposed by supervisory authorities can increase if record-keeping and procedures are not considered sufficient. Organisations should start documenting the procedures now and include any data processors that are also working on the data.

  1. Demonstrating compliance

Organisations should be able to demonstrate GDPR compliance; including understanding the regulation and implementing policies and technical measures, informing data processors of their responsibilities and ensuring the appropriate transfer of data to data processors. The level of any fine for non-compliance will likely take into account the documented procedures, echoing fines from data protection regulators under the current Data Protection Directive.

  1. Data Protection Officer (DPO)

In most EU countries, the interpretation of the Data Protection Directive has meant that all organisations – except small SMBs – with data on individuals need a data protection officer. The new regulation has partially reduced the burden and only public sector organisations or those that provide monitoring of ‘large scale’ data subjects require one. However, the regulation has left this discussion open to interpretation by the individual countries, and some supervisory authorities may wish organisations to have someone designated as the contact for data protection issues. In particular, the threshold for the appointment of a DPO is much lower in Germany than compared to that of the regulation.

The next article will conclude the series and will be a guide to implementation, advising businesses on executing the implementation of a GDPR system. As, even if businesses believe that they are ready for action, finding a place to start can be daunting.

By Nigel Hawthorn, privacy spokesperson at Skyhigh Networks

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.