Seven steps to GDPR-readiness
Across the last two blogs we’ve taken a look at some of the key articles within GDPR. Article 15, 16 and 17 or ‘right to access’, ‘right to rectification’ and ‘right to erasure’, and Article 18, 19 and 25 – ‘right to restriction’, ‘notification obligation’ and ‘data protection by design’.
Now you have a better understanding of what GDPR is and who it applies to (any business on the planet that collects data on EU citizens), it’s now time for you to gauge how ready you are to comply for when it comes into force on 25th May by following some simple steps.
Review your current data position
Businesses should assess all customer data that exists within the firm in order to better understand how exactly it is used and the processes in place to manage it. If there is data which doesn’t serve a functional purpose, holding onto it may create more issues than it’s worth. It should be minimised or deleted entirely.
Put a team together
You should create a GDPR taskforce who will take charge of getting the business ready for GDPR. Any changes to processes must be documented, another of the law’s requirements. The size of team required will be determined by the scope of your company but it must be led from a senior level and contain experts on the law and the business’ data processes.
Time to appoint a Data Protection Officer
You need to choose a point person to take overall responsibility. Appointing a DPO is a necessity if you:
- Are a public body (excluding courts acting in their judicial capacity)
- Carry out large scale systematic monitoring of individuals
- Carry out large scale processing of specialist categories of data, or data relating to criminal convictions and offenses
Even for organisations outside of this scope, it still makes sense to have someone tasked with leading ongoing efforts. They should report straight into senior management and stay abreast of any evolution in the requirements to ensure they are reflected in the business’ processes.
Update your privacy policies
GDPR was developed to increase transparency, so make sure your policies reflect this. Data privacy must be at the heart of all policies, including the ones you have with your suppliers. GDPR takes a ‘shared responsibility’ approach, which means that you will be held accountable for their actions too. Make sure your third-party network prioritises data privacy to the same standard that you do, as ignorance is no longer an excuse.
Get technical with data protection
You must make sure that customer data is secured using multiple cybersecurity measures – using too few will be viewed as non-compliance. One technology that is specifically mentioned in GDPR’s wording is ‘encryption’. When data is encrypted, the risk of it being accessed by outsiders is greatly reduced so regulators actively encourage its use.
Tell everyone that you’re putting privacy first
Implementing the relevant changes will only be successful if employees know their own responsibilities and how they can help to ensure the company remains compliant. They need to be fully informed and engaged in the process.
Similarly, customers are looking for peace of mind that their personal information is in safe hands. Providing a sense of ease can be a competitive advantage and help to attract new customers.
Plan for further communications
GDPR has been developed for a data-driven and agile world, so you should be prepared for the regulation to evolve as demands change. Create policies in such a way that makes them easy to update and be prepared to regularly inform stakeholders on any amendments you make.