GDPR for Dummies: Some final Do's and Don'ts of GDPR
GDPR for Dummies: Some final Do's and Don'ts of GDPR
The new General Data Protection Regulation, or GDPR, is becoming an increasingly urgent topic of discussion for businesses across all verticals. Set to dramatically change Europe's data privacy landscape, the regulation aims to create a privacy regime fit for the digital age. Defining far reaching changes as to how we acquire, store and process data, confusion is at an all-time high with the deadline for compliance rapidly approaching this week.

This uncertainty was evident throughout the recent ‘GDPR for Dummies Roadshow' which saw us tour across nine major European cities offering practical advice-driven workshops. With so much information out there, the roadshows aimed to provide some clarity – the do's and don'ts of getting to grips with GDPR, if you like.

Don't misinterpret your responsibilities 

Many roadshow attendees had fallen into the trap of misinterpreting what is required of them to become GDPR compliant. Whilst end-to-end data mapping and lengthy gap analyses can be useful, these complex and costly processes are not a mandatory requirement of the regulation and can often overcomplicate risk remediation. 

So long as you understand your core data processes and their relation to personal data, you should be well equipped to evaluate and mitigate your key risks without such an extensive project.

Do check border-specific regulation variations

Individual countries can be flexible in how they implement certain areas of the legislation. The age at which someone can submit data without parental consent, for example, can vary across borders, so it's worth looking out for country specific points of difference and how you may need to alter your personal data management approach accordingly.

Don't think it's just for the EU

Though GDPR is a European regulation, it has wider implications. If your company is based outside the EU but engages in business transactions with an individual based in Europe, then GDPR still applies. Similarly, businesses headquartered outside the EU but with European operations must also comply. GDPR is about personal data and the locality of the person when their data is collected determines the applicability of the regulation. 

Do value employee data 

A common misconception is that GDPR only matters for B2C organisations handling customer data. GDPR is much broader than this and applies to the personal data of anyone in the EU, including employees. In fact, some of the largest GDPR remediation projects currently involve multinational B2B organisations. Providing employees with a privacy notice outlining the ways in which their personal data is used and the basis for doing so is needed to ensure adequate transparency.

Don't count on a grace period 

GDPR was introduced over two years ago, so any ‘grace period' has been and gone. The deadline of 25th May  is real, and it's worth ensuring at the very least that your key personnel are well versed in their roles and responsibilities and that your ‘low hanging fruit' high risk remediation activities have been addressed – even if some of the larger scale transformation projects are far from completion. 

Do know your processors from your controllers

The controller is the party who owns the relationship with the individual and their data. The processor, on the other hand, acts purely under the lawful instruction of the controller. Whilst it is possible for processors to be prosecuted, they are at reduced risk if acting under the instruction of a controller. Ultimately, controllers are the key accountable party, so understanding where you are acting as a controller and your associated roles and responsibilities is key. 

The ‘GDPR for Dummies Roadshow' provided an open forum for discussion that promoted a practical, risk-based approach. Be pragmatic, identify your key risks, and mitigate where you can before the deadline. Though some changes may take time, demonstrating a clear and actionable plan is in place will demonstrate you are on the right track to compliance and safeguard your business from any unexpected fines.

For more advice on GDPR, download the official ‘GDPR for Dummies' guide here.

Contributed by Shane Fuller , lead privacy advisor, MetaCompliance and co-author of the official 'GDPR for Dummies' guide. 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.