„We completed the implementation of the GDPR a couple of years ago.”
Are you sure about that?

the obligation to implement technical and organisational measures ensuring compliance with the GDPR and demonstrating that compliance,
procedures for detecting, analysing and reporting personal data breaches,
procedures for informing data subjects about personal data breaches,
a personal data breach register template,
analysis of the obligation to appoint a data protection officer (DPO),
specification of the DPO's qualifications, competencies and tasks,
appropriate organisational positioning of the DPO (direct reporting to senior management),
involving the DPO in all data processing operations,
GDPR preamble: recital 97.
analysis of the obligation to carry out an impact assessment of planned processing operations forthe protection of personal data,
carrying out an impact assessment of planned processing operations for the protection of personal data, if required,
PDPA: Art. 57.
establishing a transparency procedure regarding how personal data are processed and used ((enabling the data subject to monitor processing and enabling enabling the controller to create and improve safeguards) and minimising the processing ofpersonal data,
establishing procedures so that when developing and designing products, services and applications, the right to the protection of personal data is taken into account,
GDPR: Art. 25,
the entity to which personal data are disclosed,
identifying recipients or categories of recipients is necessary, inter alia, to fulfil theinformation obligation,
the obligation to notify recipients of rectification, erasure or restriction of processing ofpersonal data,
more than 20 categories of tasks,
the one-stop-shop cooperation mechanism,
GDPR preamble: recitals 53, 75, 85, 108–110, 117–128, 132, 135–138 and 164.
PDPA: Art. 7, Art. 34–Art. 59 (organisation), Art. 60–Art. 74 (breach proceedings), Art. 78–91 (inspection).
analysis of the current personal data processing agreement template used witha processor,
a register of processors,
verification of whether existing processors can meet the obligations set outin the GDPR,
adapting the data processing agreement template to GDPR requirements,
GDPR: Art. 28,
new rules for obtaining consent to process special category personal data,
public authorities cannot rely on the legitimate interests pursued by the controller or by a third party,
adapting IT systems so that, at the data subject's request, they can,inter alia, fully erase their personal data, transfer data to another provider or generate among other things, generate a file containing all of their personal data,
establishing a procedure for responding to data subject requests within one month, in accordance with the transparency principle,
analysis of personal data processing for automated processing of data, including profiling,
establishing the lawful basis for processing personal data solely by automated means, without human intervention,
drafting consent clauses for profiling that produces legal effects concerning the data subject,
analysis of whether the controller transfers personal data outside the European Economic Area,
establishing the lawful basis for transfers to third countries,
adapting the process for transferring data to third countries to GDPR requirements,
PDPA: Art. 56.
one of the technical and organisational measures for protecting personal data,
it makes it harder to identify the individual but still allows different data to be linked to thatsame individual,
a reversible process, unlike anonymisation,
analysis of the obligation to maintain a record of processing activities,
review of processes involving the processing of personal data,
creating a record of processing activities template for the identified processing operations,
GDPR: Art. 30,
a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor or persons who — with the authorisation of the controller or processor — may process personal data;
the lawful basis for processing personal data may be the necessity for the purposes of legitimate interests pursued by the third party,
determining the starting point for implementing safeguards,
defining the processes carried out within the organisation,
identifying threats, vulnerabilities, likelihood, impact and existing safeguards,
developing a risk treatment plan,
GDPR: Art. 32,
consent to the processing of a child's personal data, where the child is below 16 years of age, is given by the holder of parental responsibility or thelegal guardian,
GDPR: Art. 8,
GDPR preamble: recital 38.
personal data protection policies applied by a controller or processor, that have an establishment in the territory of a Member State,
GDPR: Art. 4 point 20, Art. 46 para. 2 lit. b, Art. 47, Art. 57 para. 1 lit. s.
PDPA: Art. 56.
identifying companies forming the corporate group,
analysis of data flows between companies and identification of joint controllers,
entering into joint arrangements between companies that jointly control personal data,
GDPR: Art. 26,
one of the lawful bases for processing personal data,
consent should be given by a clear affirmative action; it should be a freely given, specific, informed and unambiguous indication of the data subject's wishes in relation to a specific matter, whose data are processed,
„We completed the implementation of the GDPR a couple of years ago.”
Are you sure about that?
