1. Understand Data Transfer Agreements (DTAs) and Onward Data Transfer (ODT)
Organizations transfer personal data all the time, which get processed in a second country or after an onward transfer to a third country or international organization. Under the GDPR, certain conditions have to be met before an original data transfer or an onward data transfer to a third country or international organization can take place.
If the commission decides that the receiving country or international organization ensures an adequate level of protection, the transfer does not need any specific authorization.
Otherwise, a controller or processor must provide appropriate safeguards, and show that data subjects have effective legal remedies available.
After that, you would need to gain approval from the data subjects or meet other conditions that might be difficult.
2. Respect Consent Mechanisms
Consent is very specific and required under the GDPR. No more pre-checked boxes, sneaking consent for one thing in with others or assuming consent. When consent is necessary for processing, the data subject must freely consent to the processing of personal data through a clear action, so no more so-called "opt-out consent" either.
For sensitive data, data subjects must give explicit consent, and you must give them an option to withdraw or refuse consent.
That means you too, marketers. Under the GDPR, all individuals have the right to object to direct marketing and profiling related to direct marketing. And under the GDPR, you must inform them that they have that right.
And you know how sometimes you want to unsubscribe from something, and you can't figure out how? Under the GDPR, you must make withdrawing consent as easy as giving consent.
3. Prepare Data Breach Notification Processes
Under the GDPR, companies must notify individuals without delay that there has been a breach of their personal data. When possible, you must deliver this notification within 72 hours of becoming aware of the breach, unless it is unlikely to impact the rights and freedoms of individuals. Data processing companies also have the onus of reporting breaches to the company that collected and controls the data they process.
Data subjects must give explicit consent for sensitive data, and you must give them an option to withdraw or refuse consent.
4. Support the Right to be Forgotten
If personal information is compromised, an individual has the right to have his or her personal data rectified and a "right to be forgotten" where the retention of the data does not comply with the regulation or with an applicable union or member state law. This right is particularly relevant when the data subject gave consent as a child and later wants to remove such personal data, especially on the Internet.
5. Retain Privacy Data Properly Throughout the Lifecycle
The further retention of the data should be lawful where it is necessary. Necessary? Yes, necessary for exercising the right of freedom of expression and information, for complying with a legal obligation, for a task carried out in the public interest, for public health, for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes or for the establishment, exercise or defense of legal claims.
Privacy procedures must include privacy by design, and development and deployment concepts, including, but not limited to:
Source : https://dzone.com/articles/develop-privacy-policy-and-procedures-for-gdpr