Happy GDPR-Day! As the GDPR progresses, do you?

Written by: Valérie Stragier

Over the years it has become increasingly difficult to miss the concepts engrained within the GDPR. Between the numerous fines (a record fine of €1.3 billion for Meta this week, to name one) and the ever-increasing media attention, organisations and individuals have quickly gotten accustomed to its name being thrown around.

Level up your GDPR maturity

While the GDPR is an ever-evolving concept, over the years, many have come to see its application as a static concept, requiring merely a one-time buy-in. In honour of 5 years GDPR, we have taken the liberty to compile 5 concepts which are anything but static, and may require action from your side. Let’s look at your to do list, shall we?

1.    Data Retention: how long are you keeping your data?

According to the GDPR, you are able to retain personal data for as long as you need it. Contrary to popular belief however, this is no wild card to keep personal data for as long as you wish.

After all, in the same breath, the GDPR points out that data controllers need to determine the limit on this need for retention. As soon as this limit is exceeded, personal data cannot be retained anymore. Implementing a retention period which is manifestly too long will however not get you far. After all, if you are caught retaining data too long, you could be in for a hefty fine.

After all, data should to be retained for as short as possible. As soon as your need for retention vanishes, so should the personal data.

To ensure transparency, a concrete action point for your organisation would be to examine if you have retention periods for any personal data you may collect, which can also be easily retrieved.

2. Update your Cookie and Privacy Policy

After all, the easiest way for individuals to understand that your organisation has continued its actions towards compliance is through these policies.

These policies are, as to speak, the direct communication point with your organisation, meaning they should ensure a certain level of transparency. In other words, if either of these policies has remained the same while changes did occur within your organisation, a detailed read through is long overdue.

3. Record of Processing Activities

Under the GDPR, a concept that is put on the foreground is the accountability of both data controllers and data processors.

Being able to show accountability is not a one-off action. It requires, among others, a detailed and up-to-date record of processing activities. By being able to efficiently see what your organization is up to with its collected personal data, you will elevate your chance of being able to showcase accountability when you are required to do so.

A concrete action point in this context would be to revisit the record of processing activities of your organisation and update all outdated information.

Putting in the time and effort now could spare you a lot of time and stress later.

4. Third Country Transfers

Third country transfers, especially towards the United States, have been a hot topic over the past 5 years. With the topic being heavily featured in literature and jurisdiction, many organisations quickly understood the gravity of the situation.

There seems to be no end to the required watchfulness any time soon since the new adequacy decision by the European Commission is already being pulled into question.

This is potentially a dangerous fact. Especially considering that some organisations do not realise they might be sending personal data to the US or elsewhere in the world.

After all, it is crucial to avoid being fined for non-compliance, especially non-compliance you were not even aware of in the first place.

In this context, an active action point would be to look at all data movement within your organisation. A lot of cloud storage solutions will, for example, transfer the personal data stored on it to the US. After all, there exist cloud storage solutions which store data within the EER, making for a reduced risk.

5. Rights of Data Subjects

If data subjects are able to exercise their rights and you are able to respond efficiently, you are already on the right path.

With data subjects only getting more and more empowered, you are bound to see an influx of data subjects trying to exercise their rights.

While it might be possible that you have never had a data subject trying to exercise their right, this does not mean that you don’t need to have an efficient way of working. After all, if someone does decide to make use of their rights, you only have 30 days to respond. In other words, sometimes every moment will count.

This is why an active working point would be to take a closer look at your organisation. Is there a way for data subjects to contact you to exercise their rights? If so, how long do you take on average to respond?

The GDPR is progressive, as should your organisation be

We at CRANIUM value the GDPR compliance of your organisation. Step by step, we’re working on building a more privacy-friendly world, while helping you make more sense of your obligations.

After all, by breaking GDPR compliance down into more manageable and active working points, there is a greater chance that your organisation will be and remain GDPR compliant.