The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, giving companies and data processors about seven months to comply.
However, compliance is easier said than done.
Although the GDPR’s jurisdiction is Europe, the regulation applies to data subjects established both in the EU and outside.
This time next year, the GDPR will be in force, yet, many businesses are unaware and therefore unprepared for this sea of change in data protection laws that’s bound to sweep away defaulters for non-compliance.
With the effects of the GDPR sure to reverberate far beyond the EU itself, here is a five-step checklist that will help improve your readiness for these reforms.
Step 1: Understand GDPR Territorial Requirements
Although the GDPR borders organisations within the EU, it is important to note that it also covers EU denizens whose data are collected and processed by companies outside the EU.
Further, it is important data processors understand and define the territorial scope of the regulation as it applies to them. As long as your company provides any kind of goods or services across EU borders, you are bound to process and control customer data as stipulated by GDPR guidelines.
To understand GDPR obligations on data controllers outside the EU, organisations will need to interact with a Data Protection Authority known as the national Supervisory Authority designated in the country where their main administrative office is located.
Therefore, you should determine where your establishment makes its most important decisions concerning data processing and security to know the corresponding Supervisory Authority to contact.
Step 2: Set Up a Cross-functional Team Responsible for Compliance
The challenge of compliance for a comprehensive program such as the GDPR cuts across function and departmental units in an organisation.
Typically, a program of this nature does not have a single executive head solely responsible for compliance.
Therefore, the successful transition of the company will require the involvement of its composite units such as IT security, Accounting, Legal, Finance and others.
A compliance team comprised of unit heads within the company will be better positioned to draft a road-map based on the company’s overall strategy for a successful GDPR compliance.
This way all departments will be in sync to meet the GDPR’s strict requirements for data controllers and processors.
Step 3: Review and Plan for Compliance
Yes, this is an obvious one. But with less than eight months to go for the GDPR to begin, stats show that a lot of companies aren’t aware of the changes going on, talk less of making preparations.
So, most organisations will not be ready for the GDPR.
You don’t want to be one of them!
With fines as high as €20,000,000 for a data breach, a detailed review of your data processing and protection methods should identify areas that could cause compliance problems.
To begin, ask yourself these questions:
- How secure is my business data, and is it backed up regularly?
- Are my servers continually monitored against threats?
- Do my data collection method and consent terms follow GDPR stipulations?
These are a few of really crucial questions you must ask yourself as you prepare for GDPR compliance.
Also, companies should review all contracts entailing data processing given these reforms.
Step 4: Conduct a Data Protection Impact Assessment for Traceability
Before the commencement of major projects, carrying out a Data Protection Impact Assessment (DPIA) will prove prudent for organisations.
A DPIA is a systematic process to assess the potential impact a project will have on the privacy of the parties involved.
Working with the relevant parties and stakeholders, the DPIA should be conducted throughout the system development phase of the project, especially before any data is collated in the first place.
This will entail mapping out functional activities that require data processing, keeping a record of where all personal data will come from and what will be done with them, understanding the legalities for processing them, and who will have access to the data.
By this, the company would have fulfilled the GDPR requirement of “Privacy by Design”.
Step 5: Automate Your Compliance Process
An integrated solution for complying with the GDPR’s mandate on “Privacy by Design” is automation.
You may have systems in place to perform risks and pen tests; however, continuous automation of your compliance process takes it up a notch.
Automating your process will take your organisation out of a reactive mode to a proactive one. This way your systems, including software-based compliance controls are continuously GDPR compliant based on your DPIA results.
Testing work environments and production systems for loopholes become as common as running a routine IT Security audit.
GDPR compliance will become a part of your business planning and systems development stage.
This will enable anyone in the IT, finance or other business departments have access to real-time compliance data, using this information to correct any GDPR compliance issues.
With the GDPR’s deadline looming, a wait-and-see approach to compliance could be perilous.
Get acquainted with the regulation’s guidelines by taking our FREE GDPR awareness questionnaire to put your organisation ahead on the compliance scale.
Want to read more on this subject? See other articles on GDPR and Data Protection: