4 Steps to GDPR Compliance
Posted by: Diarmaid Flynn - Client Service Director
When: 09 August 2017
GDPR is less than 286 days away and it's starting to get the attention of executives in companies. But why do they care now? There have been lots of directives before.
The key difference is that this is no longer a directive which a country can opt into. GDPR is a regulation each country must obey. It also has large repercussions for companies who are non-compliant. Fines such as 4% of global turnover or €20 million (whichever is biggest). That’s a lot of money in anyone’s books.
Here are some simple steps an organisation can take to ensure they are compliant:
Find out all the data you hold on consumers and staff. You need to know where it is located, who currently manages it and who has access to this data. To do this, you need to engage with as many stakeholders and departments as possible and see if IT have the data discovery tools to assist you.
Once you gather all of the data, you need to understand why you have it. Define the data by asking – why is it needed, how sensitive it is, do you have the legal authority to keep it? If you do not have the legal authority to keep the data remove it. Categorise the data into personal data items and then rank in accordance of importance.
2. Process & Control
Put in place a clear legal basis for processing and ensure that all of these processes have clearly defined privacy notifications set that are openly communicated to your entire organisation. In the lead up to 18th May, it is important that you test all of your processes with use case scenarios to ensure they work.
The processes should also include a clear reporting process so that data is readily available and presentable in a standard format.
You should also ensure all data is encrypted so that it is of no use to anyone that may steal it. Encrypt all storage and ensure that you have a full record of all the places this data can be found; be it in storage tapes, cloud, databases or paper. If it's accessed by systems, ensure they are noted centrally for easy reporting.
3. Protect & Enable
IT departments exist for a reason. They need to be at the core of an organisation. Shadow IT is something that flies in the face of the centralised compliance approach of GDPR. IT needs to be the gateway through which all data flows and all systems are protected to prevent data breaches. If you scan the systems and find vulnerabilities, fix them as soon as possible.
If you develop your own software, use the OWASP tools to scan your code. If it finds vulnerabilities, share this data with the rest of the IT Team as other systems may also have the same risks yet to be detected.
All companies must also appoint a Data Protection Officer (DPO) who is responsible for the overall compliance of the organisation. Aside from the DPO, it is imperative that all of your employees are educated in GDPR and have been trained on the processes. You should also include them in the test scenarios. It is also important that you communicate with service users to ensure both of you are fully informed about how data is used.
If there is a breach, ensure that you inform the affected users as soon as possible and that the GDPR breach is reported to the regulator within 72 hours.
It’s all well and good to do this as a once off effort, but each of the points above will need to be carried out on an ongoing basis. Keep analysing your data in the chance someone has created fields or data that could compromise your GDPR compliance. This ensures you stay compliant and will reduce the overall risk for your business.
Following these quick steps will greatly help you get ready for the GDPR regulation and keep the risk of a debilitating fine less likely.
To get started, why not complete our free five minute GDPR assessment to test how compliant your company is right now. Click here to get started or visit www.ergogroup.ie/gdpr