The prior authorisations of the supervisory authorities have been cancelled by the GDPR, which adopted an approach based on accountability. It is up to the controllers to prove their compliance with the relevant supervisory authority and the people concerned.
In order to help them comply, the CNPD published its guide on preparing for the GDPR.
The CPND proposed a 7-step approach:
- Learn about the changes;
- Identify processing of personal data;
- Designate a DPO, if necessary;
- Establish an action plan;
- Identify and manage risks;
- Organise internal processes;
- Document compliance.