The GDPR requires a mandatory privacy impact assessments (PIAs) which means data controllers have to conduct PIAs where privacy breach risks are high to minimise risks to data subject, for example if you store personal information on a website, this would apply to you. It also means that before you begin projects that involve personal data, you will need to do an assessment and work with your DPO to make sure the project is GDPR compliant. Depending on how much data you have and how you are using it, this could be a complex and time-consuming piece of work, so you should be review this now to ensure you are ready for next year.
You will need to constantly monitor your data for breaches and notify the local DPA of any breach within 72 hours. This will be a challenge for any company that does not have the technology or policies currently in place to do this.
You will need to ensure changes are made to any software you use to collect data, whether it be off the shelf or bespoke to allow for consent to be explicitly shown and for data to be thoroughly deleted on request. Also you must not hold data for any longer than is absolutely necessary, and any changes of its use requires you to get fresh consent.
You will need to train your team so they fully understand the requirements and what’s expected of them so breaches of the GDPR are spotted easily and reported promptly.
The GDPR requires that privacy is included in systems and processes by design. So if you have any purchases in the pipeline, you should ensure that it is built with privacy in their design (and be able to prove you did this). If you are buying off the shelf, ensure that your program is capable of completely erasing data.
Please get in touch if you have any concerns.
Sources: (Privacy lawyer and KuppingerCole analyst Karsten Kinast), White & Case, ICO