This indicates that being a company (or organization), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

  • Now there should be no area to be handled solely by just one person taking on the full responsibility. So, the complete support and engagement of Board and Senior Management Team is essential.
  • Keep in consideration all resources and procedural implications of setting up an effective and robust governance team (data) for any organization.
  • GDPR needs to be added into organization’s risk register as now corporate risk management incorporates both privacy as well as data security.
  • To keep up to date with the developments, all key people should be tasked and it must be ensured that they are well resourced and have a proper seniority level.
  • Awareness sessions must be conducted to ensure that employees are well aware and also up to date with changes that GDPR would introduce to the organization.


This feature is regarded as important so as to make sure that individuals have better control and have proper understanding of data processing methods to be employed. This provides a means of giving individual’s stronger rights on the basis of processing.

  • The consent to be obtained must be very specific, unambiguous, given freely and well informed.
  • There must exist an agreement indicating positive indication with data controllers having enough evidence to know that consent is already given.
  • There should also be consent from the parents so as to process children’s data on internet.

Wider Scope

GDPR would have an effect from geographic and procedural stand-points with new and far areas.

  • Data processors would have to follow certain compliance obligations as they come under the GDPR scope.
  • Even organizations operating outside EU and having target market of EU citizens would have to comply with GDPR.
  • If someone has EU presence or in some way processes data of EU citizens, would have to nominate a representative in a particular member state.

Individual’s Rights

The rights of a individual would now be more enhanced and elaborate in important areas such as

  • Right to access the data (that is, subject access)
  • Right to make corrections in the data if presence of inaccuracies is identified
  • Right to remove the personal data once the purpose is achieved (that is, right to be forgotten)
  • Right to restrain from any direct marketing
  • To have a control on automated decision making as well as profiling.
  • Right to have data portability within controllers

Subject Access Requests

One must plan at the earliest to handle access requests as because GDPR tends to take into account a large volume of information that would come in the scope definition of data (personal). So, one’s records management systems and processes (electronic and paper-based) should be appropriately designed in order to support efficient discovery of the required information by making a note that;

  • Under most of the circumstances considered, no amount of fee should be charged
  • Within a period of 1 month, a response should be made available
  • On scenarios such as data retention periods and the rights to be made available so as to have data corrected, a bit more information needs to be given
  • There should be policies and procedures in place in order to govern any requests refused

Privacy Notices

Within GDPR, one of the keys facts is to empower the individuals by becoming transparent and also clear as to how their data would be processed and also by whom. At any point in time when personal data is collected, if it’s is from clients or staff or anyone else, it must be reviewed as to how the organization decides to give the following at time of data collection;

  • The purpose and the legal basis of processing
  • The recipients of data
  • Presence of third countries where data is transferred to and the safeguards in place
  • The data retention periods
  • Presence of individual rights
  • The right to withdraw the consent after having provided
  • Contact details of data protection officer (DPO)
  • If basis of data provision is statutory or contractual
  • The details where legitimate condition of interest has been given

Privacy By Design, DPIAs

Even before the beginning of any kind of processing, GDPR puts more emphasis in creating effective protection (data) practices as well as safeguards.

  • Projects that incorporate data, protection for the same should be considered early
  • DPIA that is, “Data Protection Impact Assessment” is considered as a best practice and most likely a mandate in circumstances like; decisions that would lead to legal effect, special type (or category) of data processing (example, health data) and monitoring of areas that are publicly accessible.

It must be made sure that such processes would be regular and properly documented. The compliance needs must change as well as evolve as in cases of processes and business models. So, reviews must be carried out regularly and must be managed as well as recorded proactively.

What, Where, Why, How

GDPR’s aspect of accountability refers to an in-depth understanding of one’s data processing. For any kind of effective strategy of data governance to start, it first begins with comprehensive audit of data. So, it must be made sure that one should have detailed as well as documented answers to the questions given below;

  • What personal data you carry? Do you carry any specific type (category) of data?
  • Where is the data from and where it is being sent?
  • Why is the data processed? What is the purpose?
  • How to prove if processing done is fair and lawful? Which all conditions are met? Have you given the individuals concerned, details about their data processing along with reference to rights they have got?

Data Protection Officers (DPOs)

There must exist a member from an organization’s staff with required multidisciplinary skills as well as approach who understands data protection compliance better. So, the role of DPO requires a hard core understanding of the organization’s operations with skill set that is way above legal compliance. It should incorporate strategy, IT, communication, data security, risk management, etc. GDPR has also made it clear that this role must be senior as well as autonomous as they would represent the face of data protection for one’s organization that would include having to deal with the “Data Subjects” and “Data Protection Authority”. DPO(s) are mandatory in situations such as; public authorities, organizations that deal with high risk processing and organizations having to process data belonging to special categories. He/she should be well experienced and skilled enough with set number of tasks such as; informing and advising organizations of their obligations, monitoring compliance which includes raising awareness, training of staff, audits and having cooperation with the Data Protection Authority while acting as a point of contact. They can be made to share with other organizations or carry out other functions but without sign of any conflict.

Penalties and Data Breaches:

GDPR gives in to a stricter approach so as to impose significant amount of fines.

  • Any kind of data breaches should be informed to the Data Protection Authority of having discovered it and within 72 hours
  • The individuals who have been impacted must be informed about the areas where there is existence of higher risks to their own rights as well as freedoms (examples; identity theft, personal safety)

There can be issuance of fines which can be €20 million or 4 percent of their global annual turnover

There can be issuance of reprimands, or warnings, or bans and fines by the Data Protection Authority

The level of issuance of fines is dependent on many factors such as; the nature, gravity, duration which includes data categories, intentional/negligent, actions for damage mitigation, measures for security & privacy by design, degree of cooperation involved, way in which Data Protection Authority found out, earlier enforcement activity and any other factors relating to aggravation or mitigation.

It can be called as a mandate to integrate data protection with corporate risk management for any organization. One must consider on ways of managing reporting of breaches both from internal aspect as well as with respect to one’s obligations to the Data Protection Authority. If there are cases of data processor usage, one should be clear about the expectations in relation to breach management while making sure such expectations are made to incorporate in relevant contracts.





Related links

This indicates that being a company (or organization), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

Read More


Praesent nec nisl a purus blandit viverra. Praesent ac massa at ligula laoreet iaculis. Nulla neque dolor, sagittis eget, iaculis quis, molestie non, velit. Mauris turpis nunc, blandit et, volutpat molestie, porta ut, ligula.