Article 25 GDPR requires organisations to adopt privacy by design and by default. Generally, these will come as new principles in data protection implementation to many of the organisations obliged to adopt those principles before 25th May 2018. That’s the date the Regulation comes into force.
Failure to do this will be easily detected; under Article 30 GDPR organisations are obliged to establish and maintain a register of data processing activities. Implementation of privacy by design and by default should be recorded in the register. Failure to record will reveal a failure to comply, attracting a fine. A false record relating to Article 30 would constitute a crime attracting the penalties under the GDPR and those penalties are very severe (a fine of up to €10 million or 2% of annual global turnover).
Implementing security for personal data is essentially, a sub-set of privacy by design and by default. Data controllers and processors must implement appropriate technical and administrative measures to protect the personal data. Those measures must be
tested regularly to ensure their effectiveness.
Again, these steps and measures must be recorded in the register of treatment activities.
These are policies that can be expected to come from the highest level of authority in an organisation. The senior management of an organisation must make sure there is enough time to comply with the GDPR before 25th May 2018. The EU provided a period of two years to become compliant; over 50% of that time is gone.
Many organisations are gearing their compliance projects up now. Data Compliance Europe can offer assistance in assessing where you are now, compared to what you need to be doing to be ready for GDPR. This sort of Gap Analysis should be one of the first steps taken in a GDPR project, as it will set out the roadmap for everything to follow.