How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing.

So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is not the cornerstone of the right to use personal data, it is not eve the basis preferred by the regulation. If, however, yo rely on it, it must be informed and explicit and the rules are more clear now. Among others, leaving a box checked (i.e. where the consent does not require a specific action) or just continung to use a service or browse a site are not considered to be explicit consent.

The "right to be forgotten" is not as extensive as one could conclude from the famous "Google case" which pushed it first into the limelight. Not that the judgment of the Eurooean Court of Justice is to be ignored but because it concerned a more limited measure than stopping all processing: only the removal of the information from the search results, leaving all other processing (including the original publication) unchanged. So what is really new? Processing of personal data was allowed also till now only based on either consent or if the data were necessary for example to fulfill a contract, to comply wtu a law, to serve the data subject etc. Now even the "legitimate interest" joined these reasons. Now the regulation gives the data subject the express right to ask for erasure of the data if their processing is nnot necessary any more, and also gives the right (not quite new) to object based on his/her specific circumstances. Consent can be withdrawn, in particular by persons to whom information society sevices (for the definition several levels of references have to be traced back) to minors - the age limit is fixed as 16 years but member states can (in one of the few cases where the GDPR allows them some liberty) decrease this limit to 13 years. It is no surprise that the controller (who is responsible for the processing) has to comply with the request for erasure if the processing was illegitimate or law requires the controller to erase the data.

After having talked about two of the most frequently mentioned changes, let's turn back to what to do about the existing processing operations.

A very important change in the rules replaces the notification to the data protection authority - even the prior checking in case of sensitive (now called special categories of) data - with the responsibility of the controller to demonstrate compliance through its documentation. Only in cased where the data protection impact assessment shows high risks (remember, this only in the future), has the data protection authority to be consulted. There is no clear deadline in the reglation by when these documentations have to be available amd the rules of notification were different from one country to another. If a notification document exists and cntains all information necessary to demonstrate compliance, and is of course up to date, this is sufficient. It is advisable to start with those, of course, where no such documentation exists, but this is also a good opportunity to review the correctness of existing documentation, as undocumented changes are not only a compliance risk, they also endanger the work itself if people don't know what they have to do or what they should take care of.

An overall check for hidden use of personal data in the organisation almost always pays. Look at whom the organisation is in contact with (in the widest sense, do not forget contact persons in organisations you deal with, including authorities, information providers or even journalists) and check who is keeping their data, where and how. This can lead also to a better management of your clients, beyond compliance.

The main points to explore, be it discovering a new processing or reviewing a known one, can be found in the regulation. Someone familiar with the rules and having experience in data protection compliance (within or from outside the organisation) can of course be of great help by understanding what has tom be covered and to what detail. The obligation to nominate a data protection officer will be discussed later.

A critcal look at what data of these persons you really need and why is next. At the same time, the time span these data are needed - and how to keep them up to date and when they cannot be considered correct after a time of no contact - is next. The retention period is not only influenced by the necessity (remember the right to be forgotten - if you do not keep unnecessary data, you save money and effort, but avoid also hassle from erasure requests) but also by the duty (not new either) to keep the data correct.

Two questions follow: information to the data subjects and the right to data portability.

While the first one is an existing obligation under the old rules also, the second is maybe the only completely new right in the new rules.