What challenges must be overcome regarding privacy compliance?

For a company to be considered «privacy compliant», many precautions must be taken behind the scenes. Here are just a few examples:

  • Contracts with suppliers, service providers or other third parties must be adapted whenever is personal data is exchanged.
  • There must be a clear documentation of what personal data is being processed, why it's being processed, where it is stored, what processing your company is doing as well as to whom this personal data is being transferred.
  • It is essential to ensure that the processing of personal data is limited to the minimum necessary for the intended purpose.
  • Should the deletion of personal data be requested, proof may be requested that this has been done.
  • In case of a breach of data security, you must inform the authorities and anyone whose personal data may have been lost, about this breach.

These privacy requirements can require you to modify your existing work processes to make them compliant with the new legislation. In addition, new processes will have to be implemented or envisioned that implement procedures specified in the new data protection law.

3 phases for more privacy compliance

1. Preparation Phase

In the preparation phase, the main objective is to identify:

  • WHAT kind of personal data is processed in the company. What category do they belong to? How sensitive is the content?
  • WHY these data are processed. What are the justifications?
  • WHERE the processing is carried out. Is there any commissioned processing by third parties?
  • HOW data security is granted. What technical and organizational measures (TOM) are taken?

2. Execution Phase

During the execution phase, it is important to ensure that the privacy compliance is constantly met.

This involves, in particular:

  • safeguarding the rights of data subjects (processing requests for information, disclosure, correction, and deletion)
  • periodic review of the risk assessment and adequate TOM (technical and organizational measures)
  • the performance of data protection impact assessments.

Document the processes involved in these repetitive tasks so that your employees working with personal data always know what needs to be taken care of and when.

3. Reaction Phase

The reaction phase focuses on procedures to respond appropriately to data security incidents. In the event of any breach of data security, personal data may be accidental or unlawful lost, deleted or modified, disclosed or made accessible to unauthorized people. One of the things that is important here is to ensure privacy compliance with the duty to report.

Exactly in such situations, written and centrally accessible emergency plans pay off. Only then you can take immediate action and initiate the right steps. As the term «emergency» already implies, these are work processes that are not routinely carried out and, accordingly, are usually not anchored in our thought process.

No more indigestible legal texts

We show you how you can master the privacy compliance challenges with processes