
GDPR Operational Compliance: Don’t Stop at Updating Your Website Privacy Notice
Europe’s General Data Protection Regulation (“GDPR”) is much more than a reminder to update your organization’s website privacy notice. While an updated privacy notice is one of the more public-facing steps an organization can take to comply with the GDPR, the majority of fines lodged by regulators under the GDPR relate to organizations’ operations unrelated to their privacy policy. Below are just a few steps you should be taking to become compliant.
- Adopt Appropriate Security Measures: The GDPR requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to individuals by the organization’s processing of their personal data. This is a flexible standard, and while no specific measure is strictly prescribed by the GDPR, hundreds of organizations have already been fined for failing to implement appropriate security measures. For instance, sanctions have been imposed for failing to encrypt personal data, failing to train employees on data security, failing to conduct risk assessments, and even inadvertent disclosures due to human error.
- Ensure There Is a ‘Lawful Basis’ for Processing Personal Data: there are six, and only six, justifications (each called a “lawful basis”) for processing personal data