First advice: the regulations should be read; it is not enough merely to consult a few articles or to follow one or two conferences to understand what is necessary to do. The authors and the relaters bring their own interpretations, often very debatable. Simply by reading the regulatory text you can actually understand what is required. Generally, a European Regulation should be read from cover to cover, including the various “CONSIDERING” that precede the ARTICLES. Often it is there that can be found the detailed declinations and solutions to your questions.
Second advice: today in Europe the GDPR imposes a series of rules that in other parts of the world are in force for years. So various documents, frameworks, models and methodologies are already available that can be acquired, studied, adapted and applied; all at a cost next to zero.
Third advice: the GDPR is a high level document that requires for its own application a substantial series of guidelines, that in many cases will be emanated by 2016, as Isabelle Falque Pierrotin (President of the CNIL and the G29) has already declared in March this year.
Among the guidelines those on DPO or on Certifications of Controller and Processor …
… we believe the DPO is key levy of this compliance scheme; he/she is the “chef d’orchestre” of the tool box. The WP29 wants to support this function and will deliver guidelines in 2016…
…Last but not least, certification, because there is a high expectation on that from the data controllers.
But if these guidelines are not yet applicable, how is it that already today there are miraculous tools for the adaptation of GDPR and rules to define what is a DPO?
Everyone should evaluate with appropriate circumspection and rigor such solutions.
Fourth advice: stay informed, carefully follow the work of the European Committee for data protection (which among its own tasks has one to issue several guidelines), other European organizations, our Authority for the protection of personal data as well as of the legislator . The next 2 years will be rich in novelties; adjustments and reviewing with current legislation will be required, so you will need a continuous monitoring of what obligations are really required in order to be compliant.
Finally exploit this opportunity to make safe important parts of your company by activating synergies with other obligations.