How can you quickly prevent a fine under the GDPR?

The General Data Protection Regulation (GDPR) provides for sky-high fines for organisations that are careless when handling personal data. What essential measures can you take immediately to prevent such a fine?

The GDPR (General Data Protection Regulation) has come into effect, also known in the Netherlands as AVG (Algemene Verordening Gegevensbescherming). The now rapidly approaching deadline is causing consternation to more and more organisations. After all, the law entails a large number of requirements and obligations, and also provides for high fines for organisations that do not succeed in meeting them on time.

Recently I spoke about this with Ans Duthler of Duthler Associates, which advises companies in this area. One of the first recommendations that she gives to clients is not to regard the new legislation as a nuisance. This is because the GDPR is primarily an opportunity to get your own data management in order. In this way you place the interests and (privacy) rights of the customer, citizen or patient even more emphatically at the heart of the organisation.

Appoint quartermaster


An important first step in this approach, according to Duthler, is the appointment of a Data Protection Officer (DPO). He or she can act as an 'quartermaster', monitoring compliance with the new law. He or she arranges for the required road map to be drawn up and rolled out. Small organisations can hire an external advisor independently or in groups, for example through a trade association.

An important theme within the GDPR is accountability. Organisations must be able to show exactly which personal data they store and for what purpose. This requires setting up of a detailed privacy log, in which all choices made within the organisation in the context of the GDPR are recorded. A good starting point for this administrative record is a detailed 'baseline measurement' of the current state of affairs.

Baseline measurement as starting point


This is because few organisations know exactly which personal data they collect, where they store them and with whom they share them. Another aspect is that the organisation must be able to demonstrate that the use of this data is really necessary. It is very likely that this baseline measurement will yield a large number of concrete action points, on which the quartermaster can get started straight away. 

A baseline measurement is also a good starting point for the necessary awareness process among your own employees (including the management!). With every new action involving personal data, they have to automatically ask themselves a number of critical questions. To stimulate awareness within the organisation, a quartermaster can organise workshops or online seminars. Or deploy supportive privacy tools, for example.

Never 100% GDPR-proof


These measures must, of course, also be included in the new privacy records. Given the broad scope of the new GDPR legislation, and the involvement of humans as an unpredictable factor, the '100% GDPR-proof' organisation is a utopian dream. However, according to Duthler, an organisation that can show that serious work has been done on meeting the legal obligations can assume that any data breach will not lead directly to a high fine.

Not wanting to have to pay a fine is therefore not the main reason why you should embrace the new law. Privacy is an increasingly important issue for the customer, citizen or patient. Organisations that make them feel that their sensitive personal data are in good hands will soon have a head start on the competition. The new law thus offers a great opportunity for organisations to distinguish themselves as reliable and customer-oriented.  

So start with the baseline measurement as quickly as possible, determine action points and look for supporting software that helps you tackle this as effectively as possible. In the unlikely event that something nevertheless goes wrong, you can immediately prove that you have taken proper measures to prevent a data leak and to limit the possible consequences as much as possible.

 

Checklist GDPR Compliance

This blog gives you an idea of what to expect. Now it is high time to take action. Our checklist describes exactly the steps you need to take to achieve GDPR compliance. The document addresses in greater detail matters such as drafting a processor's agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks. 

Go to the GDPR Checklist

RELATED
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more