Business are faced with a new challenge – how to best implement the new General Data Protection Regulation so as to avoid potential sanctions. Here is some practical guidance below.
1. Get familiar with the new requirements in this field
That means that you need to designate an employee (or a team of employees) tasked with the responsibility of putting into compliance the company’s procedures with the new Regulation. This task could be entrusted to the legal team, IT department, HR or an external expert. What they all need to look through is not only the Regulation itself, but also the Bulgarian Personal Data Protection Act and its accompanying statutory acts, along with the guidelines issued by the Commission on Personal Data Protection.
2. Analyze what you do
This includes the type of personal data that your company processes and the categories of individuals whose data is being processed. In particular, the analysis entails whether you process standard personal data (name, address, email) or sensitive data (regarding race, health status, political views, etc.). Make sure that during this process you establish the purposes for which you collect the data, the third parties to which you disclose it and whether you transfer the data to other EU or third countries and on what ground.
3. Do you need a Data Protection Officer?
You have to appoint a DPO if you are a public body; if you regularly and on a large scale you monitor the subjects of the data; if you process on a large scale sensitive personal data and in other cases if provided for by law. You can appoint an employee of your company to serve the function of a DPO. This employee could still perform his/her current functions provided that there is no conflict of interest or you can appoint a person outside the company on the basis of a civil contract.
4. Risk Management
After you have implemented the previous steps, you need to assess the risk with regard to the data protection. That assessment is based on the nature, purposes, and scope of processing and on the possible risk for the rights of the individuals, as well as the consequences stemming from the risks. If the risk turns out to be high, you need to perform an impact assessment and consult the Commission on Personal Data Protection on how best to mitigate the risk. Make sure you select adequate measures to reach that goal. This might include pseudonymisation of personal data, its encryption, training of personnel, ensuring that systems processing personal data are sustainable and functioning.
5. Action plan
That means that you need to draw out a plan to implement technical and organizational measures to achieve the goals identified as a result of the risk management.
6. Review of legal grounds to process personal data
This could include a review of the grounds used so far, including consent, contract, legal obligation, public interest, etc. In case of consent you need to be able to prove that this consent is freely expressed, concrete, informed and unambiguous and there is a possibility for the consent to be withdrawn at any time.
7. Informing the subjects of data and transparent processing
You need to provide short and understandable summarized information on your website (or via another easily accessible way) concerning how to contact the company and its DPO (if any), the categories of personal data collected and the purpose of processing, time period for which they are stored and the right to access, correct or erase data, etc.
8. Exercising rights on the part of the subjects
Your company and its employees need to know the rights that the Regulation gives to the individuals. This includes right to correct or add where the data is incorrect or incomplete; the right to be forgotten (in cases of illegal processing of data or expired time limit for processing, withdrawn consent, etc.); the right to transfer the data, the right to object, etc. Your company needs to have internal procedure established in view of review of pleas and requests submitted by individuals concerning their personal data, where response is given to them within a month.
9. Notification in cases of infringement
Your company also needs to introduce a procedure or an action plan in case of infringement of personal data security. A responsible employee needs to be designated for the purposes of adequate reaction in case of infringement. There also needs to be internal organization in order to notify in a timely manner the Commission (up to 72 hours as of the infringement being known.
10. Documentation and accountability
Your company as a personal data administrator should apply the personal data protection principles set out in the Regulation and be able to prove that processing of this data complies with the principles. To this end, you need to create, monitor and regularly update an internal register of the processing activities, which includes purposes of processing, description of categories of subjects of data and types of personal data, third parties – recipients of personal data, technical and organizational measures related to security, time limits for erasure, etc.