All things GDPR: 5 Things You Can Still Do For Your GDPR Compliance (Updated for 2023)
Nearly 5 years after the infamous May 25th compliance deadline, we are still hearing a lot about GDPR, the lawsuits, and the consequences for the large companies that have failed to reach full compliance. Many companies are still struggling with this set of regulations. If your organization is one of those, we have some reassurance and basic steps you can take to start getting compliant.
This is the third post in our series covering GDPR. While there will always be something for you to do with regard to GDPR compliance, this post takes a back to the basics approach to your GDPR efforts to help calm that post-May 25 panic of “Are we fully compliant?!”
1. Re-read the guidelines to be GDPR Compliant.
Yes, this seems obvious, but it’s worth the initial read, and hopefully this second pass-through as well. We know it might be a bit dry, but there’s no better resource on GDPR than the regulations itself. While reports, white papers, and blog posts are certainly helpful for deepening your understanding, they’re still secondary sources.
You, or the relevant person in your organization, can read them here.
2. Know you’re still not alone.
Soon after the compliance deadline, Crowd Research Partners published a survey that showed many organizations were still not compliant with GDPR by May 25, 2018. Here are some of the highlights from that initial report.
- Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
- 80% confirm GDPR is a top priority for their organization
- 60% of organizations are at risk of missing the GDPR deadline
- 7% of surveyed organizations say they are in full compliance with GDPR requirements today
- 33% state they are well on their way to the compliance deadline
- The main challenges for organizations:
- lack of expert staff (43%)
- lack of budget (40%)
- a limited understanding of GDPR regulations (31%)
- 56% expect their organization’s data governance budget to increase to deal with GDPR challenges
Today, the story still remains largely the same. As recently as 2022, a study from CYTRIO found that over 90% of US companies are still unprepared for full GDPR compliance.
3. Do you need to Appoint a Data Protection Officer for GDPR Compliance?
We mentioned this briefly in our previous post and, as promised, here’s some more detail on Data Protection Officers (DPO). To start, you should ask yourself “to appoint or not to appoint.”
“Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.”
Once you’ve established that you do need to appoint a DPO for GDPR compliance, you’re tasked with finding a highly skilled individual with expert level knowledge in this new and emerging regulation. And of course, the requirements for this position are vague. Perfect.
“Importantly, the DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest.”
As we’ve pointed out, there are currently no certifications or qualifications for this position beyond general data protection experience relevant to the organization in question. (Do I have that? Sure. Do I think I’m qualified for a DPO position? Probably not!)
As time goes on, certifications may be developed for this position for small and large companies alike. Until then, if you’re looking for more guidance on appointing a DPO for GDPR compliance, the Information Commissioner’s Office has put together a helpful article elaborating on the dos and don’ts of hiring a DPO.
4. Update privacy by design
While Privacy by Design has been around for a while, regulators have made it a legal requirement as part of GDPR compliance.
“Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties… as well as limiting the access to personal data to those needing to act out the processing” (EU GDPR).
This may sound familiar – and it is. This goes back to one of the questions from our previous blog post – what information are you collecting and why? We were never sure why companies need to know our third maternal second cousin’s middle name.
5. Ensure your data is portable for GDPR Compliance
Data portability is introduced in GDPR and is throwing many companies through a loop. All it really is is the ability to provide an individual with the information you have collected on them in a “commonly used and machine-readable format”(EU GDPR).
Luckily, in this technological age, many programs have an export to a .CSV function that will likely be your first steps towards satisfying this aspect of GDPR compliance.
This is not legal advice for your company to use in complying with the GDPR. We insist you consult an attorney for advice on applying the law to your specific circumstances. You may not rely on this post as legal advice, nor as a recommendation of any particular legal understanding.