The main mistake in the implementation of GDPR is to rely on the strength and resources of only one person. A common practice is to expect independent work on the Rules from a lawyer. In such a situation, if he doesn’t have enough serious position in the organization and cannot convince his colleagues of the need for overall coordinated work, then everything will come to just preparing useless document templates that will not protect the company.

GDPR can’t be realized by one person

Even worse if it is not even a lawyer. By submitting GDPR questions to a copywriter or marketer, you can get a template of privacy policy on your website. Do you remember why this is bad? In such a policy, your users will not see why you took their phone numbers when signing up for an email newsletter. And then they will be surprised to receive a call with the offer of a product or service. Result: double complaint for direct marketing and privacy policy.

Moral: Compliance with GDPR is a teamwork. Compliance department, lawyers, information security or IT infrastructure department, marketing and sales, HR department (if there are employees in the European Union), production and functional departments – a real dream team for the implementing of Regulation.

Explore requirements comprehensively

A narrow focus on innovation to the detriment of the overall GDPR is a common mistake. Starting to create a privacy policy or consent to the processing of personal data, companies often forget about the rules that have existed for decades. Rules that migrated from the old Directive 95/46 / EC to the GDPR. If you read only short overview publications about GDPR innovations, then you probably don’t know about such rules. Meanwhile, the GDPR doesn’t abolish the rules of the Directive, as explicitly stated in the 94th article and the 171st preamble. The fines for non-compliance with certain rules are equally high.

Assess risks

And do it everywhere. The GDPR has moved the protection of personal data from the checklists towards risk assessment. Based on a risk analysis, you need to independently develop documents and determine which measures should be taken. At the same time, the Regulation doesn’t describe the result to which the risk assessment will lead you. It is likely that successful and effective measures in one company will be irrelevant for another. Only on the basis of the level of risks and the characteristics of a specific threat, you can choose measures for your company.

So, for example, the risk of transferring a personal data base to a competitor by a bribed employee is not relevant for your company. Moreover, it is likely that the contracting company that processes the data will commit a violation with negative consequences in relation to those who entrusted this data. Your task is to track the implementation of GDPR by the contractors whom you involved in the processing of personal data. You might not have heard about this from a friend from another company (well, that you can hear it from us).