By now, you have identified many different actions to take, and a plan on how to take them.

We have looked at:

• Setting the plan,
• Understanding where you are,
• Understanding what needs to be done.

Now, let’s take a look at the fourth step – taking action.

Some actions will take long but are important from a risk and compliance perspective. Other actions can be less time-consuming, but are important to demonstrate responsibility. Either way, this is where we get started.

Here are examples of important actions to get started.

4.1) Training

Training people is probably the most effective way to reduce risk.

Make decision-makers and those processing personal data understand the points below, and you are well on your way to a good data protection culture.

• The basics of data protection and the GDPR
• Why data protection is important for the company
• The big “No No’s”
• When to ask for more guidance and involve an expert

A good idea is to give representatives in various departments an extra assignment. Perhaps even name them ‘Data Protection Hero’.

These individuals are probably not data protection experts. But if you get them extra training to be the eyes and ears of the DPO, you increase your chances of dealing with challenges before they become problems.

4.2) Data Processing Agreements

It is important to have your data processing agreements in place, regardless if your company is a data controller or a data processor.

A well-written data processing agreement is a great tool to make sure you and other parties share the same view.

It is also a legal requirement and an instrument to limit your legal liability when other parties are involved.

Negotiating and writing a proper data processing agreement takes time, so make sure to start early.

You will learn more about how other parties process data in discussions, so do this early in your Step 4 phase.

Starting with the most important arrangements and risks is a good idea. This includes most data, most sensitive data/processing and least known counterparty.

4.3) Privacy Notices

Communicating with data subjects in a clear and transparent way is very important to manage expectations and maintain trust.

A privacy notice is usually the space where your customers get to know you in the capacity of a data controller or data processor. It is also your opportunity to make clear that their integrity is your priority.

A well written privacy notice will also relieve your organisation from unnecessary questions and concerns, so make sure to get it right.

4.4) Security Measures

Ensuring an appropriate level of security is of great importance, and often time-consuming.

You need both organisational and technical security measures, but the details will depend on the kind of data you process and how you process it.

The safeguards must be adequate in relation to the risks posed by the processing.

4.5) Data Minimization

A fundamental principle under the GDPR is that you should only process personal data to the extent necessary with regards to your legitimate purposes.

In other words, if you don’t have a good reason to process certain personal data, you shouldn’t.

Make sure to remove personal data you don’t need, or use anonymous data if personal data is not needed. Also, make sure to stop collecting personal data that you cannot articulate a need for.

4.6) Privacy by Design and Default

Privacy by design and default are both principles codified under the GDPR. Simply put, Privacy by Design means that privacy implications should be addressed and considered from the start when building or changing a product, service or business process.

Privacy by Default means that you as a company should apply the strictest privacy settings automatically.

A data subject should not be exposed to more processing or risk than necessary. If applied correctly, these principles can help you deal with data protection proactively.

Privacy starts with your engineers and business developers!

4.7) Data Subject Access, Deletion and Portability

One of the central objectives of the GDPR is to make sure that individuals have control over how their data is processed. The rules give them powerful tools to really exercise their right to have their data processed only in accordance with law and their expectations.

The public will become more aware and educated about their new rights, and they will exercise these rights. If your business cannot meet their expectations, it will be a problem.

Make sure to have necessary processes and procedures in place to deal with incoming requests from data subjects.

4.8) Breach Notification Preparation

You also need to make sure you can deal appropriately with incidents.

The GDPR lays down that security incidents may need to be reported to business customers, data subjects and supervisory authorities (in some cases within 72 hours).

So the process for how to report a breach needs to be discussed and decided on beforehand.

We will wrap this series up in Step 5: …and repeat!