The European Union’s General Data Protection Regulation is not the first set of data regulations that was implemented. However, companies around the world have taken notice because it is one of the first to be introduced in the current milieu of prevalent Internet usage, smart devices, and social media. What’s more, the new set of regulations has a very stringent set of penalties for violations.
Every company that collects data from the EU or any of its citizens will need to comply with the new laws. The main points of the regulation are pretty simple and have been discussed many times over:
- You need to inform authorities of any data breach within 72 hours.
- The right to be forgotten, or complying with requests from data subject to delete their information, and its many copies. You should also destroy data that are no longer necessary, or when the subject withdraws his or her consent. You should only gather the minimum amount of data required, and keep it for as little time possible.
- Fines of up to two percent of annual revenue or 10 million euros – whichever is higher – for technical violations.
- Fines of a maximum of four percent of annual revenue or 20 million euros – whichever is higher – for non-compliance with GDPR rules.
- Future-proofing your GDPR compliance by employing state of the art resources and technologies.
- Companies should also define a clear use-case for data to be collected, and get the subject’s consent.
- When dealing with cloud services, data can only be transferred to countries within the EU. If the destination-country is outside of the European Union, you should ensure that they have similar standards.
- All EU citizens have the right to receive their data in a machine-readable format, giving them unprecedented data portability.
- GDPR also laid down the accountability and responsibility of both data controllers and processors.
The Essential Steps to GDPR Compliance
Compliance matters, however, not all are clear-cut. How do you ensure that you have an easy time getting your company in compliance with GDPR rules?
1. Map the data.
You should be able to identify all applications and what data they get. You should know:
- The source of data
- What types of personal data are being gathered
- Why it is being gathered
- How you’re storing the data, and who can access it
- How the data is going to be disposed of and in what time frame
For instance, you should have a clear idea that people who sign your contact form will provide their full name, e-mail address, IP address, and phone number. The reason: you will need all that data to handle any questions they may have and get back to them. This data is stored in a WordPress database and can be accessed by the site’s administrators, as well as your customer service team. The data should be removed within 30 days or upon request.
Having this data map will help you get a full appreciation of what types of data you have and how you are going to protect it, along with knowing where to look when a user asks for his or her data to be deleted.
2. Communicate.
With GDPR, you really need to communicate both to your site visitors and your employees. For site visitors, you should have rewritten your privacy policy to explain what data will be collected and why, the data retention periods, and how customers can complain if they are less than satisfied with your implementation.
On the other end of the spectrum, you should also train employees about GDPR and how they should go about compliance. Like other business changes and policies, your employees need to understand GDPR in order to implement and comply with it.
3. Document your every move.
When it comes to passing a GDPR audit, you will need to show documentation of what you have done for compliance. This will include all the decisions and processes that are involved.
Excellent documentation is not only for audit. It will also provide an excellent log of policies and how they’ll be implemented, as well as processes and how they will be carried out.
4. Setup a team that will be responsible for governing data.
This team will include a data protection officer, as well as business leaders and IT managers within your organization. This team will be responsible for compliance issues and will need to report to the board. They will be tasked to do the documentation, as well as the implementation and regular reviews of technological decisions, processes, and policies.
A data protection officer (DPO) is both a leadership and security role. A DPO is responsible for ensuring that your company’s data protection strategies and implementations are in compliance with GDPR requirements.
Data protection officers are also tasked with training employees with regards to data processing. They will also need to do security audits.
The data protection officer is also responsible for:
- Training and education of employees who handle data, as well as making the important compliance rules understood by all.
- Becoming the point of contact between your organization and GDPR authorities.
- Monitoring the impact of GDPR efforts.
- Keeping comprehensive logs and records of data processing activities done by the company.
- Liaising with data subjects to effectively communicate with them how their data is going to be used and how the organization will protect their data, as well as their right to have that information erased.
5. Implement a single platform for data policy management and governance.
You should determine if you store data all over the place, rather than in one platform. If you have fragmented data stores, it is going to be difficult to achieve compliance. This is true for both production and storage.
Once you know what data is being gathered and where it’s stored, you need to be able to see all of it on a single platform. This will enable to you respond to requests for data access and erasures. You will also have an easier time understanding data breaches and the extent of these intrusions. And ultimately, this will help you with your reporting requirements as well.
Having all data on one platform will also make it easier for you to ensure availability and protection of information.
6. Identify the technologies you need.
Once you have the processes for data protection down pat, you will need to find technology vendors and suppliers that will help you implement these processes. Because technology changes rapidly and you need to be able to revise your data protection policies every so often, these technologies should evolve as well.
State of the art technology will help you avoid the risks of using outdated and outmoded technology that might get you in trouble as far as GDPR compliance is concerned.
7. Develop a data breach contingency plan.
While nobody wants a data breach to happen, you will not be able to guarantee that you will be safe. It makes more sense to know what to do WHEN a data breach happens, rather than debating IF they will occur.
You should have an incident response process that will help you know how, when, and what to communicate to both the public and to your local data protection authority. This way, you can control what information gets out when you experience a data breach.
8. Monitor. Revise. Audit.
GDPR compliance should be an ongoing concern for all businesses. The worst mistake you can make is to work on GDPR compliance once and then not looking back on it ever again. You would need to monitor your GDPR processes to see if they’re still adequate and relevant. You should also do this to introduce changes when necessary.
* * *
It’s been a year since GDPR first became enforceable. There are more upcoming laws that you will need to know. The good thing is that if you are working hard on your GDPR compliance, then you might be able to implement other regulations with ease and without having to pay for additional resources.
GDPR compliance starts with good data governance, as well as knowing what type of data you store and where you store it. You should be able to document everything that happens along the way, as well as the processes and decisions related to GDPR. What’s more, you should choose the best technologies that can help make GDPR compliance a breeze.
The capabilities you are looking for should definitely include creating reports that you can give to auditors. Another good requirement: your technology should enable you to respond to data erasure, access, and portability quickly.
Thanks for the GDPR info. It seems a bit overwhelming.