Stibo Systems - The Master Data Management Company

How to Prepare for GDPR in Five Steps

 |
February 21 2017
| 2 minute read

If your business is lawfully obligated to adopt the General Data Protection Regulation (GDPR) or parts of it, now is the time to start thinking about it. Considering the wide scope of this new EU regulation, the sooner you start, the better. In this blog post we list the five steps you need to take for your business to be compliant by 25 May 2018.

spread-image-gdpr-1

Five steps on how to prepare for the General Data Protection Regulation (GDPR)

Step 1: Build the GDPR business case

Present the outlook of the GDPR to the relevant decision makers in order to build your GDPR business case. Your strongest argument will without a doubt be the financial sanctions from the European Union if you fail to be compliant in time or cannot document that you are towards authorities – it’s up to 4 percent of the global turnover or 20 Million Euros. But also make sure to include the brand damage and the mistrust from consumers if you fail at this.

Step 2: Appoint your GDPR accountable

This step is rather self-explanatory. You need to appoint a GDPR accountable or a GDPR team. Either way it’s an advantage to have people from various affected departments and people with insights into your organisation’s data processes involved. Of course, the GDPR main accountable needs to have insights into the regulation. You may want to hire legal help at this stage. Or if you already know that your organisation is obliged to hire a Data Protection Officer, there’s no better time than right now as he can guide and advice your team according to the requirements of the GDPR.

What is the General Data Protection Regulation (GDPR)?
Get the full overview of what it is and what you need to do.Get the White Paper

 

 

 

 

 


Step 3: Create a data landscape map (identify)

Your GDPR team now needs to create an enterprise data landscape map in order to identify where the data resides and how it’s being managed. These are just some of the questions they need to be able to answer:

  • Where do we store personal data?
  • Who updates it and what workflows are linked to it?
  • What is the data used for and for how long do we store it?
  • How do we communicate this usage to individuals and what does your data policy say?

Answering these questions may well be a hard task and will probably require all your internal teams to work closely under the guidance of the GDPR team.

Step 4: Create gap analysis and action plan

Once you understand how your business currently uses data, you need to audit your current policies, processes and systems against the content of the GDPR to reveal any non-compliant areas. This ‘gap analysis’ is to identify what measures you need to take in order to be compliant.  Once done, you will know what needs to change and can create your action plan accordingly. Prioritise the actions against risk and dont forget resource (time/budget) estimates.

Step 5: Hire external help

You can now start to implement the changes. Some tasks will be fairly simple and low risk, for instance updating your organisation’s privacy policy. While others, such as data breach notification and consent requirements, will very likely be a costlier and higher risk task.

There will very likely be some tasks that you cannot solve internally or without help. When you encounter these, do not hesitate to hire external specialists.

dealing with gdpr


Topics: 
Master Data Management Blog by Stibo Systems logo

Martin Samuel Nielsen is the Chief Information Security Officer (CISO) at Stibo Systems. Martin, who has worked with information security in some of Northern Europe’s biggest companies, including Vestas and Velux, has a great passion for making data protection and information security an integral part of the daily business processes. He holds several personal information security certifications, such as CISA, ESL, CISSP, CISM and CRISC. Martin is also the leading force behind Stibo Systems’ ISO/IEC 27001:2013 certification, the international standard outlining best practices for information security management.



← Previous Post
Next Post →