As I discussed earlier this month, failure to comply with the new General Data Protection Regulation (GDPR) by this coming May could be extremely costly for businesses on both sides of the Atlantic. Any firm located anywhere on the globe that handles private information about residents of the European Union (EU) could be subject to severe sanctions if it does not implement the protections discussed in the new EU law.
So, what should a business do now to make sure it is ready?
As was discussed in the recent Modern Workplace Webcast, GDPR Impact, here are seven steps:
- Get senior management on board
Create an appropriate steering committee for the GDPR initiative. Like most other major technology and compliance initiatives, senior management must “buy in” and sponsor the project if it is to be successful.
- Hire or appoint a data protection officer.
Firms that are supposed to have such an officer per the GDPR regulations should make sure to search for, and hire if necessary, a qualified individual as soon as possible. For firms that do not have to have an officer uniquely fulfilling this specific role, make sure that someone at a senior level owns responsibility for data privacy and GDRP compliance.
- Get legal opinions.
You need to understand what your legal team believes you need to do in order to comply with GDPR – as well as with any other privacy laws that may exist in the regions in which you operate and conduct business, or in which your customers and/or suppliers are located.
- Do data discovery.
It is impossible to protect data if you do not know what you have. Make sure that you know the answers to the following questions:
What types of personal information do you collect?
Where is it stored?
How is it secured?
Who has access to it?
How do you use it?
How do you back it up?
How do you destroy it when you no longer need it?
How much data is involved?
- Perform a risk analysis
Understand your risks.
- Perform a gap analysis
Figure out where your policies, procedures, technologies, etc. are lacking – and create a plan to fix them.
- Document throughout the process
Document. Document. Document. Documentation can help prevent mistakes, and can also help ensure that any regulators that examine your firm understand your thinking and why any particular decisions that they question were made. Also, document your deltas (see #6 above) – so regulators can see that you know what issues you have and are working to fix them.
For more details please view the free webcast, GDPR Impact.
This post is sponsored by Microsoft.