The European Union’s General Data Protection Regulation (GDPR) is going into effect in just two months — on May 25, 2018. Yet a recent Forrester report indicates that only about 30% of companies say they’re ready to comply, and at least some of those firms are actually overstating their readiness.
If you haven’t completed your preparations or you’re not confident about your status, we’ve created the following checklist to help your organization prepare for the upcoming changes. We hope you find it useful.
- Research: The first step is to learn all you can about GDPR and how it will affect your company’s operations. Make sure that you do a deep dive into the topic. Don’t settle for just reading a summary or two – make sure you’ve read the legislation itself plus multiple detailed articles discussing its ramifications.
- Interpretation: It’s vital that you actually understand the information you’ve read before attempting to apply the laws to your own organization. If you have a background in law or find it easy to process the content contained within the GDPR, then you can skip this step. Otherwise, you should probably seek help from a lawyer so they can break the regulations down into digestible bits for you.
- Share Your Knowledge: Everyone in senior management needs to be on the same page if you want to successfully implement the changes required. Once you’ve familiarized yourself with the GDPR, be sure to share what you’ve learned with all the key players in your organization, and make sure you have their buy-in as well as understanding.
- Hire a Data Protection Officer: Some organizations, such as those in the data processing industry, government agencies, and health care companies, are required under GDPR to employ a Data Protection Officer. Even if this requirement doesn’t apply to your company, you may want to voluntarily appoint a DPO to help ensure GDPR compliance.
- Create a Compliance Team: Select at least one person from each department to serve on a GDPR Compliance Team. This team will be responsible for evaluating current data protection policies, making necessary changes, and relaying pertinent information back to their respective divisions.
- Conduct an Audit: You need to know exactly what type of data your company collects, the length of time it’s stored, and how it’s protected. How do you obtain data and for what purpose? Are you collecting only the data that you need? What protections are in place to keep data secure?
- Be Thorough: According to GDPR, all data is not created equal. Special protections need to be put in place for sensitive personal data, children’s data, genetic data, etc. Check your current collection and storage systems to see how these specific types of data are dealt with.
- Check Third-Party Transfers: Under GDPR, you also need to ensure that the data you share with others is protected. Any contracts you have with outside vendors should stipulate that their company be GDPR compliant.
- Review Privacy and Consent Language: The new regulations require that companies have privacy and consent notices that are explicit and unambiguous. You need to check the language currently used and make changes to ensure that it’s straightforward and easily understood.
- Develop a Data Map: To ensure GDPR compliance, you need to have a thorough understanding of the way your company treats the data it has access to. One of the best ways to aggregate and convey this information is through a data map. Have your compliance team create a document, such as a spreadsheet or flowchart, that shows the sources of your data, how it’s processed and used different departments, where it’s stored, how it’s kept secured and when it’s disposed of.
- Identify Problem Areas: Now that you have a clearer idea how data moves through your company, you can start to identify which policies and procedures need to change in order to be GDPR compliant. In particular, you should look for the following:
- Purpose: Are people informed how their data will be used when it’s collected?
- Consent: Is the request for consent clear and upfront?
- Relevance: Have you checked to make sure you only collect the information you need, without obtaining any excessive data?
- Transparency: Are the details of your data collection practices available to the public?
- Security: Is the data you have access to well protected? Is it encrypted? Are your databases password protected? Are servers off limits to unauthorized personnel?
- Procedures: Do you have a system in place to deal with data breaches?
- Accuracy: Is the data you currently have checked for accuracy? How is it kept up to date?
- Retention: Do you have clear policies about how long data is kept?
- Access: Can individuals put in a request to access their data? Are they able to modify or delete their data if they so choose?
- Responsiveness: If an individual asks about the data you have on file for them, are you able to provide a timely response?
- Compliance Plan: After identifying problem areas, you can get to work creating a plan to bring your current procedures into GDPR compliance.
- Clear Policies: Be sure to translate the changes your company is making into clear policies and procedures that are easy to follow.
- Employee Training: Any employee with access to personal data must receive training on how to appropriately handle that data and remain in compliance with GDPR standards.
- Review, Reassess, and Reinforce: The new regulations go into effect on May 25, 2018, but that doesn’t mean the work of GDPR compliance is done. Your organization needs to be vigilant. You need to regularly review your procedures and make necessary adjustments to make sure your company continues to be GDPR compliant. GDPR compliance is not a once-and-done process. Remaining compliant with the new data protection regulations requires an ongoing effort and continuous oversight.
Final Words . . .
Hopefully your preparations for the GDPR are well underway, but if you’re still working on it, the steps in the preceding checklist will help you identify and evaluate areas where you still need to make changes.
GDPR is one of the most stringent frameworks we’ve seen, and it’s easy to feel overwhelmed by its requirements. Fortunately, a comprehensive intrusion detection platform like Threat Stack can help you achieve, demonstrate, and document compliance with GDPR, as well as other compliance frameworks such as PCI, HIPAA, SOC 2, and ISO 27001. Check out our GDPR microsite to learn more about how Threat Stack can get you up to speed.
Also, free free to download the following ebooks prepared by Schellman & Company for additional information and guidance on GDPR: