Assess, what part of data protection actually depends on you
Think, what can you improve and what can you suggest
Consult and take initiative to reconcile data protection and business
Up to this point, you probably thought of what data you process, what assets do you use and considered any doubtful cases. Write them down, as these might be good questions to ask inside your firm.
You also thought of your roles and responsibilities and what data could be excessive in relation to them. As you now have more clear vision on what data are under your control, now think of what influence do you have: to what extent you are you able to decide how to process data, what assets to use, where to store it and what safeguards to apply.
Your actual control is also the core of your responsibility. This is where you do not just follow instructions from your employer, but have some margin of appreciation to make your job more efficient. You need to assess whether that freedom is good or bad for you and for data protection level.
And the answer is not always clear. Usually, clear instructions and solutions are good, as the data protection system needs to be coherent and coordinated. But a good system is also decentralized, where staff members like you have their say on what solutions secure data, but not impede business and daily work. For instance, requirements to encrypt each single file or remember too many complex passwords might encourage you to bypass them and as a result, not apply the safeguard at all.
I want you to consult such issues and take initiative. Be honest and admit both issues with security and issues which security itself causes for business. Report any changes to assets or new processing operations you plan to start. GDPR applies in design phase, before you start to process data. And this is really efficient, as adjusting a new solution is easier than changing an existing one.
Table of contents:
Self-implement GDPR in 16 steps: