The legislation makes it clear that the GDPR is not to just be a paper exercise - the whole methodology of every organisation (effectively) needs to be redesigned to ensure that the technology and organisation itself have the data protection requirements fully integrated so that this becomes the way that all organisations do business going forwards.
The GDPR refers to this as data protection 'by design and by default'.
This requires that you adopt internal policies and implement measures which help you comply with the data protection principles as laid out across the legislation – this could include:
- data minimisation (ie cutting back on what is collected from people to the minimum required)
- pseudonymisation wherever possible (ie collecting data but without attribution so that the individual data items cannot be related to a specific person – they are just collated general data – very useful for statistics for example)
- ensuring that for every piece of data held, you have made it clear in your records, your reasons for using the data and the Legal Grounds you have to allow you to use that data - or if you have the individual's consent to use it
- transparency measures (ie ensuring that when data is collected, it is openly clear what is collected, how the data is collected, for what reason, how long it will be required for, what can be done to object, request a copy, alter, freeze or request deletion of such data and where this may not be possible and so forth).