(Reading time: 2 - 4 minutes)

p is for PIA - Privacy Impact Assessment or Data Privacy Impact Assessment DPIAThe GDPR requires organizations to perform a Privacy Impact Assessment (sometimes called DPIA where the D stands for Data) when processing activities are expected to have a high impact on data subjects. You will have to demonstrate that you’ve done this.

(Reading time: 1 minute)

o is for opt-in and opt-outThe GDPR went into effect in May of 2016. Organizations were given 2 years to get compliant before regulators would start to hand out fines. So why aren’t they compliant yet? And why can’t they even get the most basic thing sorted like the opt-in and opt-out on their sites?

(Reading time: 2 - 3 minutes)

n is for Non-Disclosure agreementsWe all know those NDA’s they make you sign before sharing important and sensitive data. As a consultant I’ve always got one on hand and I hope it shows the potential client that I take their privacy serious. Weirdly enough, not everybody sees the need. Quite often I hear a potential client say “Oh no, I trust you. It’s fine”. But is it? I’m not saying I can’t be trusted, but as an organization you’ve got your due diligence to take care of. And getting people to sign an NDA is a large part of that. Here’s why.

(Reading time: 2 - 4 minutes)

m is for minimization of personal dataYou can’t lose what you don’t have. In the event of a data breach or infringement the Data Authorities will look at the data that was breached or violated and if that data should have been available to begin with.

(Reading time: 2 - 4 minutes)

l is for cprm

Here’s the first thing you really need to know about the GDPR: demonstrate your compliance. You do this by documenting your reasonings for certain decisions, documenting your policies and other relevant documentation. And then there’s logging.

(Reading time: 3 - 5 minutes)

k is for Key risk indicators

Rather than all of a sudden finding yourself in a bad situation, it’s better to see it coming (when possible). Key Risk Indicators (KRI) help with that. Key Risk Indicators are used for measuring the likelihood of something happening and will tell you if that consequence will exceed the organization’s risk appetite. These measurements can be shown as percentages, currency, numbers, values, etc.

(Reading time: 2 - 4 minutes)

j is for joint controller

To know what a joint controller is you must know what the GDPR defines as a controller to begin with. A controller is the party that decides how the personal data will be processed. A controller can use another party to process the personal data on their behalf. We call them Processors. If you’re a controller and need to work with another party who is also a controller, you’re considered either Multi Controllers or Joint Controllers.

(Reading time: 2 - 4 minutes)

The ABC of GDPR: I is for Implementing the GDPRI’d like to start by saying that I’m allergic to checklists that claim they’re a one-size-fits-all for implementing the GDPR. Don’t fall for it guys. It really is too good to be true.

What are the risks of using checklists?

If you think you can just use a checklist to implement the GDPR, you’re wrong. Also, if you think ‘well, at least I’m getting a whole lot done’ you’re wrong AND taking a huge risk.