The compliance date for the EU’s General Data Protection Regulation was May 25. The deadline has since elapsed. As it stands, GDPR is a reality. The regulation will certainly change the manner in which organizations handle and process personal data. In addition, GDPR will considerably change how organizations handle data breaches.
GDPR came into effect in 2016. It affects organizations that operate both within and outside the EU. The regulation requires these organizations to set up either new or advanced data protection practices. The most significant thing that you need to do is determine whether or not GDPR affects your organization. Article 3 of this regulation provides an overview of guidelines that apply to organizations that process, hold, somehow control, or monitor individuals’ personal data.
The regulations apply to all organizations, regardless of where the data processing occurs. To ensure that your organization complies with GDPR, you should ask yourself the following questions:
- Are you well-established within the EU?
- Does your organization have physical presence within the EU?
- Does the organization provide goods and services to clients within the EU?
- Does your organization monitor its clients’ behavior within the EU?
If the answer to the aforementioned questions is yes, you are required to comply with GDPR provisions.
Where Should You Start?
Certainly, the most puzzling question that you will face as far as GDPR compliance is concerned is where you should start. Basically, the best way of approaching GDPR is having a practical and detailed plan. This plan should engage participants drawn from pertinent functional areas of your business. These 5 key steps will go a long way in easing your GDPR compliance journey.
1. Establish a GDPR Working Team
The first step of your GDPR journey should be the establishment of a working team under a data protection officer. Pinpoint and designate an individual who is well-versed with matters pertaining to data protection and privacy. Set aside a budget and resources needed to establish a team.
You also need to identify organizational stakeholders who will identify and evaluate GDPR controls besides conducting training. This team will also be tasked with remediating control deficiencies, managing data breaches, and maintaining the entire GDPR program.
2. Establish GRC Accountability
The establishment of governance, risk, and compliance (GRC) compliance is important since it makes it easier for you to meet standards set forth by GDPR. In line with this, you should identify, classify, and tag all sources and types of personal data. It is equally advisable to have an inventory of all data processing activities within your organization to ascertain priorities.
Recording and assessing all third-party processors that are in place starting May 2018 will help you identify processes and agreements that should be amended so that they comply with GDPR. In addition, third parties should be periodically screened and engagement documents maintained. You are also required to regularly review, update, and create or retire new privacy policies, notices, and consents while considering GDPR requirements.
GDPR controls should be periodically reviewed to determine their continued viability and compliance. You also need to regularly record data flow sources besides conducting periodic Data Protection Impact Assessments, for those data processing activities that pose a high risk to your data. Suitable organizational and technical measures should be implemented to ascertain that you have factored in and incorporated data protection in your organization’s data practices.
3. Update Privacy Notices
Privacy notices should be reviewed to confirm that delivery, timing, and GDPR-compliant content is updated as required. In this regard, review your process of seeking, recording, and managing content. Privacy and consent notices ought to be updated to ensure that concise, transparent, and simple consents can be accessed. Your processing controls and processes should be in compliance with data subjects’ right to access, erasure, object, and rectify, and even lodge complaints.
4. Establish a Data Breach Procedure
It is important to ensure that there exists a procedure for handling any data breaches. The procedure that you set up should pinpoint, report, investigate, and manage breaches in a timely manner. Data breach procedures should be reviewed and updated to ensure that protocol address notification and timing requirements as stipulated by the EU supervisory authorities.
5. Conduct Awareness Training
It is advisable to keep third parties and employees aware of the internal controls and organizational changes of GDPR that affect data privacy and protection. Periodic GDPR notices should be delivered to raise and underpin awareness.
You should take note of the fact that GDPR is a wide-encompassing regulation, which may necessitate you to make slight changes to your organizational setup. In as much as the regulation itself isn’t a one-time initiative or project, following the five steps will go a long way in saving you the hassle of non-compliance or being slapped with heavy fines.