Several supervisory authorities have started to issue step plans to help data controllers in the preparation for the application of the EU General Data Protection Regulation (GDPR).
In April, the Dutch Authority (Autoriteit Persoonsgegevens) issued its step plan consisting of 10 items:
- Awareness,
- Rights of data subjects,
- Keeping records of data processing,
- Privacy Impact Assessment (PIA),
- Privacy by design & privacy by default,
- Data Protection Officer (DPO),
- Notification obligation regarding data breaches,
- Agreements on data processing,
- Lead supervisory authority, and
- Consent.
You can find a summary in English at the Privacy Matters blog.
A bit earlier, the French authority (CNIL) published a 6-step plan regarding compliance with the GDPR with the following steps:
- Appoint a DPO, who can lead the compliance process,
- Review (“mapping”) the data processing activities,
- Prepare a priority list of the measures to be taken,
- Manage the risks (including the preparation of a Privacy Impact Assessment),
- Implement internal rules regarding data protection, and
- Prepare documentation to be able to prove compliance.
You can find a summary in English at the Privacy Matters blog.
Now, the Italian Authority has also “joined the club” and issued its own 6-step plan. The step plan also contains some recommendations from the Italian Authority in the given sections.
- The legal basis of the processing must be ensured.
- More information needs to be provided.
- Rights of data subject.
- Obligations of data controllers.
- Risk-based approach and accountability measures.
- Transfer of data to third countries.
You can find a summary in English at GamingTechLaw.
In addition to the above, several other authorities have step plans, e.g. the ICO, the Hungarian Authority (NAIH), the Irish Data Protection Commissioner, the Belgian Authority.
László Pók
