Note: This is the third of an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalities, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
Having already reviewed GDPR Requirements, Roles, and Reporting Timelines and GDPR Privacy Protection & Breach Notification – today we will look at some of the things that go into developing a Compliance Strategy and the steps to take as we lead up to the date the GDPR is in effect and beyond.
One of the first steps organizations will need to take (if they haven’t already) is to assess where they are when it comes to compliance with GDPR. As a part of this assessment, organizations should aim to discover their data assets. One of the primary reasons for GDPR is to provide protection to data; personal private data of EU citizens particularly. To better understand the complete picture of what data there is, where the data is held, who processes the data or has access to the data, how long is the data retained, and what is the purpose for the use of the data.
Hopefully for most organizations, as the date for compliance is drawing near, these assessments have already been accomplished. Once an organization understands their data assets they should be able to assess where they fall short of the GDPR standards and to understand the steps required to be better prepared to be in compliance. The next steps for companies would be putting in place the measures that will bridge any gaps found during the assessments.
It is important to note that the changes required will not be purely technical in nature. Organizations will also have to consider revamping or creating new internal processes, changes in policies, data collections procedures, plus the creation and filling of critical roles as required by the GDPR (such as the Data Protection Officer.)
Getting ready for GDPR compliance can be viewed as a two-part process. The first part of the process is to develop the mechanisms so the organization can meet the obligations of GDPR. To do this, companies will have to effect changes to all of the technical and non-technical areas as required. Once the changes are in place and once the date for compliances comes to pass, organizations will have to perform the day to day operations that assist them in remaining compliant with GDPR. Companies will have to understand that compliance will always be a moving target with the ever-changing data and technology environment. Having a GDPR Compliance Strategy will be critical to minimizing risk associated with data protection not only leading up to the effective date, but also as companies move forward in a data protection world governed by the EU’s GDPR.