Govern yourself accordingly: How organisations can implement their own GDPR compliance

The following steps provide a brief overview of the measures an organization should take to become GDPR compliant:

• Appoint a Privacy Officer or, in smaller organisations, a go-to person for data protection.
• Create a data register in which the organisations’ departments (ie. human resources, marketing, finance, etc.) describe the data they process, the people or institutions within and outside the organisation to whom the data is transferred, retention and destruction procedures and safeguards.
• Prioritise compliance by ensuring that:

a. only necessary data is being collected;
b. the legal basis for data collection are respected;
c. clear and explicit privacy notices are drafted to inform individuals of how their data will be collected, stored, used, retained, and transferred;
d. suppliers and subcontractors are compliant and have signed agreements testifying to this compliance;
e. either model clauses are in place for documents involving data transfers between Europe and Canada or other accepted measures are being used;
f. data access, amendment, and take-down procedures are in place; and
g. data-breach response procedures are in place

• Conduct a privacy impact analysis to determine which data is at greatest risk and how to protect it.
• Establish processes including continuous general and targeted data protection training to ensure data is protected at all times by every member of the organisation.
• Document compliance (ie. save forms evidencing consent as well as data access / amendment / take-down requests and organisational responses to these)s

These measures are not impossible to implement. They demonstrate the value, however, of making data protection a governance mater so as to reduce exposure in the event local regulatory bodies are slow to respond to global trends.