Can you DOCUMENT how you are compliant?
One idea is to create a product sheet for the company's customers that describes the company's compliant workflows. A what-if strategy! Furthermore, the regulation recommends that a record of the company's workflows is available for use by the Danish Data Protection Agency. This documentation requirement must be prepared if the company has more than 250 employees.
What if ... a person withdraws their consent. How do we technically take care of it and ensure that everything is deleted from the company archives? This could be a case described in a product sheet about the company's compliance strategy.
The product sheet should include a plan that describes the company's various workflows in the event that changes are made to all existing personal data. At the same time, there should also be a log that presents the changes made to personal data along the way and an overview of who has access.
Another example is job applications with attached CVs that are sent to the company and quickly spread across multiple inboxes, file systems and cloud solutions.
What strategy does the company have to limit the spread of personal data in unknown corners of the systems and how does the company manage to delete the data everywhere after six months? (All this is rolled out in Elvium's 6. Sharp on the General Data Protection Regulation. So stay tuned!).
Are you on top of...
Who is RESPONSIBLE for your personal data?
What data processing AGREEMENTS do you have with your data providers?
Do all your EMPLOYEES follow compliant processes?
Do we need to hire a DATA PROTECTION OFFICER?
How do you ensure compliant RECRUITMENT?
Are pre-printed checkmarks a CONSENT?