- Ensure awareness and training of employees in preparation for the GDPR
- Conduct a comprehensive inventory and risk assessment of personal data, including children’s data.
- Binding implementation of privacy-by-design/default, contracts, data protection impact assessments and documentation.
The German Conference of Independent Data Protection Authorities of the Federation and the Länder, a voluntary association of independent official data protection commissioners, published a 10-point paper (available from the State Commissioner for Data Protection of Lower Saxony) has compiled suggestions for companies on how to prepare for the GDPR:
- Carry out sensitization
- Take inventory
- Check legal basis
- Special check of personal data of children
- Implement data protection through technology design and data protection-friendly default settings (“privacy-by-design” and “privacy-by-default”).
- Check contracts
- Implement data protection impact assessment
- Organize reporting and consultation obligations
- Implementing data subject rights and information obligations
- Organize documentation
In substance, these points correspond more or less to the procedure that is already established in practice, i.e., the inventory of data processing by means of questionnaires, the risk assessment, depending on the risks, the in-depth analysis of the processing operations and, if necessary, a privacy impact assessment, combined with governance measures, in particular the introduction or adaptation of a data privacy policy and, if necessary, further policies and templates, the safeguarding of the Group’s internal data flows, and the adaptation of the specifications for legal checkpoints in project processes.