If you or your organization deals in data processing and data operationalization or if are related with data in any possible way in EU, you are certain to abide by the new regulations of GDPR. The rules are very strict and not adhering to them will attract a hefty penalty.
Here are some rules:
Data Protection Officers: Hire some authority to be a data protection officer. Decide the compliance of data protection and assess this role and where will it be likely to be positioned in the governance arrangements and organizational structure.
The designation of a DPO becomes essential for:
• A public authority (except those in a judicial capacity)
• An organization involved in a systematic and regular monitoring of people on a large scale
• An organization involved in carrying out a large scale data processing the likes of which are criminal records and health records. The GDPR’s Article 29 Working Party states different laws for producing guidance for companies and organizations. The guidance details out the designation, the tasks, and positions of DPOs.
You can hire somebody with big data education in data handling and legalities surrounding it- the support, knowledge, and the authority to carry out the role of data protection and compliance.
Data Protection Supervisory Authority: If you as an organization offer your big data services like mining, analytics, and data operationalization in more than one EU (European Union) member state, choose one lead data protection supervisory authority situated in your state of the main establishment where you operate. By main establishment it is meant to say the location where central administration of your business is present in EU or else, major decisions related to operations are implemented.
Data Protection Impact Assessment (DPIA) and Data Protection by Design and Default: Data protection by design is a good practice for companies dealing in data. Conduct a PIA test (Privacy Impact Assessment) on it. Usually, the DPIA is implemented only when:
• A new technology is about to be deployed
• An operation involving profiling of individuals which might have a significant effect
• Large-scale data processing of special data categories
If testing on such terms gives results which are risky, you have to address those risks and consult the ICO (Information Commissioner’s Office) to get its suggestion if your business operationalization such as project management and risk management meet GDPR.
Data Breaches: Whenever data has been breached and brought to your notice, you are required to notify the ICO, if such a breach is a risk to individual freedom and rights. For example, data breach which can lead to discrimination, financial loss, reputational damage, confidentiality loss, or any other such social or economic disadvantage. Effective optimization of systems, tools, processes, and platforms are mandatory to be in place for organizations to detect a data breach. Not able to do so will call upon a huge fine for the failure to report the breach as well as the breach itself.
Systems to Verify Age: Have implemented and established systems in your big data services’ company which can verify the age of individuals to ascertain if they are children or adults. If any data processing activity calls for children less than 13 (UK) or 16 (Rest of EU) to be involved, it will require consent from parents or guardians. GDPR is coming heavily on any social networking or commercial internet activities involving children.
It’s imperative to have a foolproof talent acquisition of people with an extremely good big data education specializing in legal infrastructure. Such big data education will rest some of your fears regarding the GDPR implementation.