Con­fe­rence of the Fede­ral and Sta­te Data Pro­tec­tion Aut­ho­ri­ties: 10-point paper on sug­ge­sti­ons for com­pa­nies to prepa­re for the GDPR

The Ger­man Con­fe­rence of Inde­pen­dent Data Pro­tec­tion Aut­ho­ri­ties of the Fede­ra­ti­on and the Län­der, a vol­un­t­a­ry asso­cia­ti­on of inde­pen­dent offi­ci­al data pro­tec­tion com­mis­sio­ners, published a 10-point paper (available from the Sta­te Com­mis­sio­ner for Data Pro­tec­tion of Lower Sax­o­ny) has com­pi­led sug­ge­sti­ons for com­pa­nies on how to prepa­re for the GDPR:

1. Car­ry out sensitization
2. Take inven­to­ry
3. Check legal basis
4. Spe­cial check of per­so­nal data of children
5. Imple­ment data pro­tec­tion through tech­no­lo­gy design and data pro­tec­tion-fri­end­ly default set­tings (“pri­va­cy-by-design” and “pri­va­cy-by-default”).
6. Check con­tracts
7. Imple­ment data pro­tec­tion impact assessment
8. Orga­ni­ze report­ing and con­sul­ta­ti­on obligations
9. Imple­men­ting data sub­ject rights and infor­ma­ti­on obligations
10. Orga­ni­ze documentation

In sub­stance, the­se points cor­re­spond more or less to the pro­ce­du­re that is alre­a­dy estab­lished in prac­ti­ce, i.e., the inven­to­ry of data pro­ce­s­sing by means of que­sti­on­n­aires, the risk assess­ment, depen­ding on the risks, the in-depth ana­ly­sis of the pro­ce­s­sing ope­ra­ti­ons and, if neces­sa­ry, a pri­va­cy impact assess­ment, com­bi­ned with gover­nan­ce mea­su­res, in par­ti­cu­lar the intro­duc­tion or adap­t­ati­on of a data pri­va­cy poli­cy and, if neces­sa­ry, fur­ther poli­ci­es and tem­pla­tes, the safe­guar­ding of the Group’s inter­nal data flows, and the adap­t­ati­on of the spe­ci­fi­ca­ti­ons for legal check­points in pro­ject processes.