The GDPR is not a one-day thing

The 25th of May has finally arrived. The D day where all personal data is protected. Where security incidents will no longer occur. Where all the processing of personal data becomes legitimate. Where the data will no longer be stored sine die. Where users have full control over their data. Where the right to forget is a reality. Where everyone has been informed that all the privacy policies of the planet have been updated (yes, ours too). The most awaited day has arrived. And once you have reached this point of rejoicing, what then?

Well, I’m sorry to tell you that the GDPR is not a one-day thing. Today, 25 May 2018, the General Data Protection Regulation, known as GDPR, comes into effect. But just because it comes into effect today (it has been in force since 2016) does not mean that everything we have not done does not need to be done, or that if we have already made an adaptation we do not have to do anything else. Why?

One of the concepts introduced by the GDPR and perhaps the one that produces the most impact is the well-known accountability. This term invites us to apply the technical and organizational measures that the organization considers appropriate to guarantee the privacy of data, to be able to demonstrate compliance with the principles of processing contained in Article 5 of the European standard, in short, to be proactively responsible.

Therefore, this starts today. And I give some examples of tasks or actions that must be implemented from today to comply with the regulations:

  • Impact assessments. As we know, they are a preventive tool that will help us identify, evaluate and manage the risks to which a treatment is exposed. In this way we will be able to identify the appropriate measures to guarantee the rights and freedoms of natural persons. We must therefore apply the necessary controls to identify possible new treatments and be able to carry out the necessary impact assessments.
  • Risk mitigation measures. Surely you are all aware of the new risk approach introduced by the European standard, which means that we have to perform a periodic review of it, as well as analyze each of the residual risks in order to manage it and decide what measures to apply in each case.
  • Exercise of rights. The arrival of new rights such as the right to portability, for example, leads us to have to update our procedures for attention of rights to ensure the response to the exercise of this right within the legally established time frame.
  • Periodic checks. As we are discussing throughout this article, this GDPR is not something static but rather compliance should be reviewed and monitored. Therefore, we recommend establishing periodic controls that guarantee compliance with the security measures established by the organization.
  • Security vulnerabilities. I think that all of us who are involved in this security world are aware that in the event of a security incident, it is important to manage it from the 0 minute onwards. In the case of personal data also, in addition to the fact that it is now a legal requirement to notify the supervisory authority whenever the security breach constitutes a risk to the rights and freedoms of the interested parties.
  • Processors. And last but not least, a procedure and a periodic review of the contracts and security measures that the data controllers are applying must be established. Let us not forget that the GDPR leaves it to us as processor providers to monitor and determine which providers we choose as the ones in charge of the process.

Therefore, I am convinced that we all still have a lot of work to do before we have a mature data protection management in our organizations. Many of us believed that the 25th was a deadline but in my opinion today is another milestone for the fulfillment of the GDPR. We will live more peacefully without the wave of emails with privacy policy updates, but we must not forget the objective: to protect personal data. Let’s keep working on it.