The DPC's guidance is promised to be the first in a series that will run up until the GDPR applies and focuses primarily on how organisations should prepare to ensure their data processing activities are fully compliant with the GDPR ahead of the implementation date.
The recommendations include the following:
- Data mapping: mapping out where an organisation makes its most significant decisions about data processing;
- Designated responsibility: ensuring someone in an organisation or an external data protection advisor takes responsibility for data protection compliance and has the knowledge, support and authority to do so effectively; and
- Data Protection Officers: considering whether the organisation will be required to designate a Data Protection Officer and, if so, whether the current approach will meet the GDPR's requirements.
The DPC emphasises that the adoption of "privacy by design" and "data minimisation" principles are already good practice and both principles are now enshrined in the GDPR. Accordingly, service settings must be automatically privacy friendly and new services and products being developed will need to take account of privacy considerations from the outset.
The note also reminds organisations that the GDPR will impose very significant fines for non-compliance of up to 4% of an organisation's annual turnover.
The DPC is a much stronger resource following a very substantial increase in its annual budget over the last few years, a significant expansion of the team and new offices ahead of the implementation of the GDPR ensuring that it will be able to enforce the new data protection regime from May 2018.
Article provided by Leo Moore (William Fry), attorney in Ireland.