Compliance with the GDPR
Companies should establish written procedures
Companies should establish written procedures to make compliance with the GDPR simpler and more effective.
Companies must be able to demonstrate that they comply with GDPR
According to the principle of accountability, companies must be able to demonstrate that they comply with the GDPR in practice. In other words, neither data subjects nor regulators need to prove that companies are in breach of GDPR. Instead, the burden of proof of compliance lies with the company that is the controller. Therefore, companies need, among other things, to have certain GDPR-related agreements and documents, such as different procedures.
Procedures create structure and reduce the risk of mistakes
Companies should establish written procedures to create a clear structure for employees. In addition, the risk of mistakes is reduced if the procedures are clear and easy for employees to follow. There are many benefits to creating a written procedure.
What procedures are good for companies to set up?
The exact procedures that each individual company needs cannot be answered in a standardised way, as the needs are different depending on the situation. A good starting point is that the larger the company, including the number of departments and employees at the company, the better it is with more procedures to create a clear structure and reduce the risk of mistakes.
Procedures for erasure of personal data
Companies need to erase personal data when it is no longer necessary to process it for the purpose for which it was collected. The same applies if the data subject requests to have his or her personal data erased. However, in some cases, companies may anonymise the personal data instead of deleting it. In addition, there are cases where personal data should not be erased. For example, if the company has a legal obligation to continue processing, i.e. it states in a law that the personal data must be processed.
Procedures to comply with data subject rights
Data subjects have a number of rights under the GDPR. Companies must be able to meet them and therefore it is good to establish procedures for how employees should proceed. There are eight (8) fundamental rights regulated in Articles 15-22 of the GDPR, but there are also more than that. Among other things, the company must handle the request within a specified time limit and notify the data subjects about the handling.
Procedures for onboarding and offboarding
It’s good to have procedures for when new employees start at a company and when someone leaves. In other words, procedures for onboarding and offboarding. If a company lacks such procedures, there is a greater chance of a personal data breach occurring. It is during transition periods (such as when a new employee takes up his or her role or when an employee resigns) that vulnerability is greatest.
Procedures for sharing data internally
Sharing of personal data between employees within a company is common. In addition, it is easy to make mistakes if there are no clear procedures that are easy to follow. It is useful to define which personal data may be shared internally and through which communication channels. The more important personal data, the more secure communication channels are required.
Procedures for obtaining and withdrawing consent
Companies must be able to demonstrate that they are obtaining valid consent. This means, among other things, that the consent must be freely given and actively given. In addition, data subjects have the right to withdraw their consent at any time. Withdrawal of consent should be as easy as giving it. After the withdrawal, the personal data shall be deleted and the data subject notified thereof. Therefore, it is good to have procedures around these processes, so that the employees manage them correctly.
Please note that there is no ban on oral consents, but they are difficult to prove, which the company must be able to do for it to be valid.
Procedures for social media management and photography
It can be easy to forget that there is processing of personal data in social media for which the company may be the data controller. In other words, it is not only the platform provider that has a responsibility, but also the company that has a user account there and processes personal data through the platform. For example, if the company has a form of customer service on social media or posts pictures of employees on social media. Among other things, companies must delete personal data from their social media inbox regularly, as personal data is processed there.
Learn more
Assessments that companies may need to make
There are various assessments that companies may need to make under the rules of the GDPR, either before certain processing of personal data begins or in some cases during an ongoing processing. For example, Legitimate Interest Assessment (LIA) to assess whether the company has a legitimate interest in a particular processing operation. Two others are Data Protection Impact Assessment (DPIA) and Data Transfer Impact Assessment (DTIA). Please note that companies must request a prior consultation with the national data protection authority in some cases, but before that, the company must have carried out an impact assessment.