- Get the full picture of impact: Arrange a meet-up with your technical, customer support and legal colleagues and discuss what the GDPR means and how it impacts your organization from each side.
- Get a full picture of personal data processing in your company: Map data flows in your company — how it is stored and processed by your systems. You need to answer these questions:
- What categories of personal data do you process? (financial information, biometrics, marketing-related information, etc.)
- What categories of users do you process data for? (contributors, freelancers on your marketplace, drivers, etc.)
- What are the reasons for processing?
- How and why do you collect this information?
- How do you secure these data?
- Is the data transferred to third parties? Do you know who those third parties are? How long do they store information about individuals?
- Find legal basis for mapping: Think about 6 legal bases mentioned here. For every processing operation identified in your data map, you have to refer to a legal basis. That connection will give you the full legal basis for the mapping.
- Create tools that can help users exercise their rights:
- You need to be sure you have the information to answer the access request from the user (from your data mapping).
- Note in your data map where exactly you store personal data (in your system and with cross-reference with other systems) to comply with a decline, modification and erasure requests of users.
- Decide how you are going to respond to data portability requests. For that, you need to know what data formats your systems use.
- Map your data breach and incident response: Make sure that you and your security/tech/legal/PR colleagues have an incident response plan.
- Run a few test incidents and get everyone involved.
There are way more elements that could be added to this checklist, and you need to work with your internal experts and external advisors to come up with a list customized for your needs. For example, you may need to design data protection impact assessments, appoint a data protection officer, manage and review marketing and other company communication practices, and revisit your vendor management and contracting processes.
Having a solid basis by mapping out your data processing activities, gives you a big advantage for any subsequent GDPR compliance question that you may encounter.
You will find below some additional resources that we rely on and find helpful, and we hope they will be useful for you too.
If you want to know more
Start with the source: The full legal text of the GDPR.
The Data Protection Directive is described here.
Here is a Data Protection Authority (DPA) in each EU State. Some of them publish wonderful guidelines on the GDPR implementation. Check it here.
Article 29: An advisory body appointed a representative from the DPA of each EU Member State. The best guideline is the most recent one. You can find WP29 Newsroom here.