Generally speaking, grown-ups are not afraid of boogeymen. There are no magical forests, and running through the woods at night, you’re more likely to benefit from shining a light on the path rather than watching out for monsters.
In a similar vein, the upcoming EU General Data Protection Regulation (GDPR) is too often portrayed almost like some untamable source of terror. The GDPR is a complex beast, there’s no denying that. But the adult thing is to take one step at a time, keep moving and take comfort in the fact that a lot of this stuff is new to everyone and that you will get better as you go along. Although setting up and maintaining GDPR compliance involves following up on loads of detailed requirements and tasks, it might help to keep a few simple things in mind:
- Use common sense. One of the major threads running through the whole Regulation is the concept of risk-based approach. It will never hurt to try to put yourself in the shoes of your data subjects and imagine how worried they would be about their privacy if they knew what you know about the scope, scale and security of your processing operations. Also, sooner or later, you will end up having to prioritize compliance tasks – this is where you want to sort them based on expected privacy risk.
- Write down what you’re doing. With the new principle of accountability, GDPR flips the burden of proof on compliance to the data controller, so if the authorities come knocking, you want to have a paper trail on the things you’ve done to ensure you are compliant.
- “Educate, agitate, organize”. Mere paperwork is never enough and compliance is a group effort, so do make sure you set up the necessary roles, responsibilities and communication channels within your organization, and also take measures to increase awareness on your policies and privacy in general.
- Look around. So far, there isn’t much in the way of guidelines and case law on GDPR, so your best bet is to scout for and exchange nascent best practices with other organizations and stakeholders. Eventually, you will also want to keep an eye on possible codes of conduct and certifications being set up in your field, as these are compliance mechanisms specifically encouraged by the GDPR.
Come and request a copy of some of the more concrete resources and tools we’re making freely available to help you along your path. You can find us at the HH Partners desk in the MindTrek sponsor area.
Henri Tanskanen, CIPP/E, advises clients in matters related to contract, copyright, privacy and technology law at large. He has special expertise in data protection as well as open licensing and other legal aspects of open technologies.