Are you ready for GDPR?


Only a few months and than we are all ready for GDPR! Well that is not true and we all know it. Your company has probably enough to do before you are ready. One of the first things that the GDPR requires is the appointment of a Data Protection Officer. You might need to appoint a Data Protection Officer if your company’s activities include:

  • Large-scale processing and monitoring of data subjects
  • Large-scale processing of data that includes sensitive demographic data (gender, religion, race, health, sexual orientation, etc.)
  • Processing of personal data in relation to criminal offences and convictions

Such instances apply to any public authority, list brokers, or any operation that trades credit data, for example. However do not forget about your employees as well they should have the focus of the Data Protection Officer.

The GDPR requires that:
  • The Personal data is collected and processed legally, fairly and in such a way that is transparent to the individual.
  • Personal data is collected only for legitimate purposes, and not processed in such a manner that is outside the scope of those purposes.
  • The Personal data is collected, processed and retained only as is necessary to the purpose for which is was originally attained.
  • Personal data is accurate and up to date when and if possible, and if unable to be updated as such must be corrected or erased in a timely manner.
  • The Personal data is retained no longer than is necessary to carry out the actions under which scope it was originally collected.
  • Personal data is duly protected against security breaches, unlawful or unauthorized processing, access, loss, damage, and destruction through whatever technical or organizational means necessary.

It is further required that the controller demonstrate responsibility for and compliance with the principles as set out. There are some exceptions and extensions, mostly pertaining to archiving of personal data for statistical reasons, or reasons that are in the public interest, such as might be the case for scientific, historical or medical research.

The “Old Days” before GDPR

The GDPR stipulates that any company processing personal data would need to establish a lawful basis for doing so. Under the current legislation, this is known as “conditions for processing.” What this means is that you are required to outline your reasons for processing the information and make a lawful case for it.

  • There was a legal compliance to be met
  • If you were acting under official authority
  • To protect the interests and personal data of another person
  • If it was necessary to a task carried out in the public interest
  • If the processor is exercising an official authority

Lawful processing also requires that you document the steps you take to carry out each process. However many of these rules are not applicable to public offices or authorities. I would like to add that many public sources contributed to this article. It is in my opinion a serious matter that companies get ready for GDPR. It will make the difference and proof if your company is future proof.