Steps to Ensure GDPR Compliance
GDPR is not something that should be ignored as it comes with heavy fines. Additionally, it can be a reputation destroyer as well as a client losing nightmare. It’s better to be prepared to show how you are complying with the GDPR than to just take it on half-heartedly. Here are some steps to ensure your company is GDPR compliant--but first there are some terms you should get familiar with.
Data Subject – a natural person whose personal data is processed by a controller or processor.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data.
Personal Data – any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person.
Data Processor – the entity that processes data on behalf of the Data Controller.
Data Protection Officers – the GDPR will require some organizations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations that process what is currently known as “sensitive personal data” on a large scale.
How to Become GDPR Compliant
Step 1: First thing to do is to update or create your privacy notices on your site that explains to the data subject (customer/client) what your company collects, why, and how the data is stored and used, and to ensure the data subject's acceptance (opt in or out) of the said data actions that are being taken.
Step 2: Next, you should identify all personal data that you are storing or planning to store, including where and how it is shared. Remove any personal data you do not require and ensure that all personal information is kept secure and only used for the purpose for which it is collected for. Once this data has been discovered, action can be taken. The initial step should be to reduce the workload. Redundant, obsolete, and trivial data (ROT) should be deleted. This will cut associated storage costs and liabilities.
Step 3: The GDPR applies to external email and other communications as much as it does to internal processes. Sharing of personal data such as name, address, age etc. needs to be done securely. Use a secure email to send or receive data from clients or other external contacts. This is where you hopefully created your data security strategy using VPNs, DLP Solutions, and encrypting sensitive data if you haven’t already.
Step 4: This one is just common sense. One of the best practices is having a plan for dealing with a data breach. This should go into detail what processes you have in place to detect a breach, stop the breach, prevent further breaches, and to communicate the breach to all affected individuals (and the regulator) within 72 hours.
Step 5: Something else to have is the means to delete customer data upon request (customers have the right to demand that all their personal data be deleted--within certain parameters), also be able to deliver what data you have on the customer within 30 days, if they submit a data subject access request.
Step 6: Last, but not least, designate a Data Protection Officer to be responsible for checking regulation, implementing and documenting processes, and ensuring adherence. This is the most important step in regards to if the worst happens. The DPO should have the ability to produce reports to clearly show regulators that:
- You know what personal data you have and where it’s located, across your data landscape.
- You properly manage the process for getting consent from individuals who are involved.
- You can prove how personal data is used, who uses it, and for what purpose.
- You have the appropriate processes in place to manage things like the right to be forgotten, data breach notifications and more.