Full compliant organization beyond 2018 in five lines

QuestionsCategory: Legal frameworkFull compliant organization beyond 2018 in five lines
Alfa asked 5 years ago

If you were to describe a fully compliant organizations beyond May 2018, what would be the description in five lines? In short; what are, in your opinion, the five most important implications of GDPR?

1 Answers
Alessandro Vallega Staff answered 5 years ago

Compliance to GDPR will not be a crisp value (Y/N) but more a fuzzy one (good, very good, insufficient etc).  This is because of the complexity of the requirements and the need to adjust the measures during the time according to the state of the art and evolution of the processing. The law is actively promoting good practices (people, processes and technology) and a own judgment about what the company should do based on a risk assessment. Having said so a full compliant organization might be: 
A “compliant company” is the one that in order to protect the rights and freedoms of the data subject, regularly challenges its processes, organization and systems to:

  • guarantee a proper information and collect the consent from the data subjects (art. 6-7) and limit the data collected and the usage done (art. 5)
  • document and improve the knowledge of the processes (art.30)
  • design good processing, protected by design and by default (art. 25) and be aware of potential high risks (art. 35)
  • implement state of the art security measures both organizational and technical (art. 32)
  • be able and organized to cooperate with the authority (art. 31, art. 36, art. 37-39 ) and to promptly notify / communicate data breaches (art. 33 and 34)
  • when possible and appropriate, follow code of conducts (art. 40-41), and obtain certifications (art. 42)
  • transfer personal data to third countries within the correct legal framework (chapter V)
  • revisit the contracts and make sure its providers (processors and third parties) understand and follow the Regulation

Or shorter:
A “compliant company” is the one that in order to protect the rights and freedoms of the data subject, regularly challenges its processes, organization and systems to guarantee a lawfully, fairly and transparent processing, that follows security best practices and protects data at rest and in motion against external and internal abuses and attacks.