The compliance date for the European Union’s General Data Protection Regulation (GDPR) was on 25 May 2018. With GDPR becoming a reality, there are considerable changes expected on how firms manage personal information and react to security breaches. The regulation passed on 2016, bound organizations inside and outside the EU requiring them to implement new or improve data security techniques.
The first thing a firm should do is to ascertain whether the GDPR compliance applies to them. Article 3 of the GDPR offers an outlook of the rules that bound any organization that manages controls and supervises individual information of persons within the EU despite of location of the firm or where processing takes place. Look at the following:
- Is your firm located in the European Union?
- Is your firm established in the European Union?
- Do you supply products or services to persons in the European Union?
- Do you oversee the behavior of people in the European Union?
If you answer yes to any or all of these questions then compliance with GDPR is mandatory.
Before you begin compliance to GDPR, it makes sense to outline an extensive plan that analyzes all stakeholders from all the functional areas of the firm. The steps below will help you on your way to GDPR compliance:
Step 1: Data Protection Officer (DPO) and Create a Team or GDPR Function Group
Pinpoint and authorize an individual who will have complete authority for information privacy and security, budget and resources. Determine stakeholders that will identify and analyze GDPR controls administer training, fix control deficiencies, control security breaches and maintain GDPR compliance.
Step 2: Establish Governance, Risk and Compliance Authority
Determine, arrange and tag every source and type of personal information. Identify and record software and assets that process, transmit and store personal information. Identify and record your firm’s information processing activities to determine preference.
Identify record and analyze third-party processors in place as of May 2018 to determine any adjustments and processes that require amendments to concur with GDPR. Assess third parties on a regular basis and safeguard engagement documents via contracts that conform to GDPR requirements. Assess, amend, withdraw or establish new privacy policies, consents and privacy notice to account for GDPR requirements. Assess GDPR controls regularly to ascertain continued conformity and viability.
Periodically identify and record data flow sources and carry out regular Data Protection Impact Assessments for information processing activities that are highly vulnerable to a data subject. Execute the necessary technical and organizational measures to prove that you have harmonized data security into your processing techniques. Make use of certain software to create, monitor and control your GDPR compliance program. Unify GDPR requirements into your audit and supervisory programs to assess their productiveness. Oversee and audit your GDPR program periodically for conformance and amend as required to account for changes in regulations, operations, and feedback and assessment results.
Step 3: Privacy Notices and Consent
Assess privacy notices to ensure GDPR-conformance content, delivery, and timing and amend as required. Assess how you get, record and control consent. Update privacy and consent notices as required ensuring clear, simple, transparent and timely consents that can be easily accessed and given as proof of compliance. Your managing activities and controls must conform to data subject’s rights to access, amend, erasure, object and data portability and to enter a complaint.
Step 4: Establish a Breach Procedure Data
An organization should ascertain that their techniques for dealing with data breaches reflect a process that identifies breaches in a timely manner, reports, investigates and manages them properly. A firm should also assess and amend procedures of data breach so that protocols can address notification requirements and the timing for the EU Supervisory Authorities and individuals.
Step 5: Conduct Awareness Training
Carry out training to ensure that your employees and your third-party providers have full knowledge of GDPR organizational amendments as well as internal controls that affect information security and privacy. Deliver regular GDPR notices and training to inform and reinforce awareness.
Always remember that GDPR is an extensive regulation that may involve undertaking several changes to your firm in the coming months. The regulation is not a one-time undertaking, following a few concise steps will ensure you remain compliant and prevent huge fines.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.