If your business is lawfully obligated to adopt the General Data Protection Regulation (GDPR) or parts of it, now is the time to start thinking about it. Considering the wide scope of this new EU regulation, the sooner you start, the better. In this blog post we list the five steps you need to take for your business to be compliant by 25 May 2018.
Present the outlook of the GDPR to the relevant decision makers in order to build your GDPR business case. Your strongest argument will without a doubt be the financial sanctions from the European Union if you fail to be compliant in time or cannot document that you are towards authorities – it’s up to 4 percent of the global turnover or 20 Million Euros. But also make sure to include the brand damage and the mistrust from consumers if you fail at this.
This step is rather self-explanatory. You need to appoint a GDPR accountable or a GDPR team. Either way it’s an advantage to have people from various affected departments and people with insights into your organisation’s data processes involved. Of course, the GDPR main accountable needs to have insights into the regulation. You may want to hire legal help at this stage. Or if you already know that your organisation is obliged to hire a Data Protection Officer, there’s no better time than right now as he can guide and advice your team according to the requirements of the GDPR.
Your GDPR team now needs to create an enterprise data landscape map in order to identify where the data resides and how it’s being managed. These are just some of the questions they need to be able to answer:
Answering these questions may well be a hard task and will probably require all your internal teams to work closely under the guidance of the GDPR team.
Once you understand how your business currently uses data, you need to audit your current policies, processes and systems against the content of the GDPR to reveal any non-compliant areas. This ‘gap analysis’ is to identify what measures you need to take in order to be compliant. Once done, you will know what needs to change and can create your action plan accordingly. Prioritise the actions against risk and don’t forget resource (time/budget) estimates.
You can now start to implement the changes. Some tasks will be fairly simple and low risk, for instance updating your organisation’s privacy policy. While others, such as data breach notification and consent requirements, will very likely be a costlier and higher risk task.
There will very likely be some tasks that you cannot solve internally or without help. When you encounter these, do not hesitate to hire external specialists.