The effective date of the General Data Protection Regulation is approaching fast – each company that processes personal data should implement any necessary changes by 25 May 2018 to ensure its data processing complies with the requirements of the Regulation and to avoid potentially huge fines for data processing violations. Since the Regulation affects all the areas a company operates in, all of its departments have a role to play in ensuring data processing compliance. The key departments required to focus on implementing the Regulation across the company are legal, marketing, human capital, customer service, and IT.
Since the Regulation is of a legal nature, the legal department carries a large share of responsibility for implementing the Regulation requirements in the company, and this department should be providing guidance and assistance to other departments on any implementation issues. Among other things, the legal department should define cases where the company acts as data controller or operator and should keep data processing records describing the scope, purposes and legal grounds for data processing. Also, if the company has not yet paid special attention to this area, one of the legal department’s tasks would be to draft appropriate data processing agreements or clauses for contracting with third parties to whom personal data is transferred. Since the Regulation provides for reporting personal data violations, the legal department may have to conduct negotiations with the National Data Office in such cases.
The marketing department often plays an important role in personal data processing, especially when sending marketing materials to the email addresses of data subjects for the purpose of promoting the company and its service offerings. To ensure that only compliant marketing materials are sent out, the marketing department should make sure that statutory consents to receiving such materials have been obtained from the data subjects. Also, an assessment should be made of whether the consents given meet the requirements for lawful consent, e.g. the consent should be informed and given freely and clearly by an affirmative action on the part of the data subject.
Customer service is certainly one of the departments that will be most affected by the Regulation requirements. Under the Regulation, the company is required to make it possible for data subjects to exercise their statutory rights. Although these rights extend to all data subjects, including employees, companies receive most claims from their customers. So it is the customer service department that should provide customers with information about data processing, give them rights to access, adjust and delete their personal data, restrict processing, and make it possible to transfer data.
The human capital department plays an important role in helping the company ensure overall compliance with the Regulation requirements. Confirmations should be obtained from employees involved in personal data processing that they will neither disclose personal data nor engage in unlawful processing. To ensure that all employees involved in personal data processing understand the data protection rules and their significance, each employee should receive training in this area. Such an understanding will minimise the risk of unlawful processing.
Since nowadays personal data processing is mostly done using technology solutions, involvement of the IT department in the data protection process significantly improves compliance with the Regulation. The IT department’s main responsibilities are ensuring information security (e.g. data encryption), implementing technical solutions that help data subjects exercise their rights, and restricting personal data access rights.
Although the Regulation lays down new rules for personal data processing, it is important to note that some of the data processing requirements have been stated in both the Data Protection Directive and the Personal Data Protection Act that are still applicable. So before the Regulation requirements begin to apply, each company is advised to assess its position in terms of data processing and to understand any necessary improvements it should make by 25 May 2018 to mitigate the risk of incompliant data processing.
These steps do not include all the necessary measures for eliminating the risk of incompliant personal data processing. Each company should be aware of its types of personal data processing and consider any measures required under the Regulation in those situations. Since the wording of the Regulation might seem complicated, it is advisable to consult experienced lawyers and IT professionals who specialise in data protection and offer a set of tried and trusted methods for assessing data processing compliance.