If your business is lawfully obligated to adopt the General Data Protection Regulation (GDPR) or parts of it, now is the time to start thinking about it. Considering the wide scope of this new EU regulation, the sooner you start, the better. In this blog post we list the five steps you need to take for your business to be compliant by 25 May 2018.
Five steps on how to prepare for the General Data Protection Regulation (GDPR)
Step 1: Build the GDPR business case
Present the outlook of the GDPR to the relevant decision makers in order to build your GDPR business case. Your strongest argument will without a doubt be the financial sanctions from the European Union if you fail to be compliant in time or cannot document that you are towards authorities – it’s up to 4 percent of the global turnover or 20 Million Euros. But also make sure to include the brand damage and the mistrust from consumers if you fail at this.
Step 2: Appoint your GDPR accountable
This step is rather self-explanatory. You need to appoint a GDPR accountable or a GDPR team. Either way it’s an advantage to have people from various affected departments and people with insights into your organisation’s data processes involved. Of course, the GDPR main accountable needs to have insights into the regulation. You may want to hire legal help at this stage. Or if you already know that your organisation is obliged to hire a Data Protection Officer, there’s no better time than right now as he can guide and advice your team according to the requirements of the GDPR.
What is the General Data Protection Regulation (GDPR)?
Get the full overview of what it is and what you need to do.Get the White Paper
Step 3: Create a data landscape map (identify)
Your GDPR team now needs to create an enterprise data landscape map in order to identify where the data resides and how it’s being managed. These are just some of the questions they need to be able to answer:
- Where do we store personal data?
- Who updates it and what workflows are linked to it?
- What is the data used for and for how long do we store it?
- How do we communicate this usage to individuals and what does your data policy say?
Answering these questions may well be a hard task and will probably require all your internal teams to work closely under the guidance of the GDPR team.
Step 4: Create gap analysis and action plan
Once you understand how your business currently uses data, you need to audit your current policies, processes and systems against the content of the GDPR to reveal any non-compliant areas. This ‘gap analysis’ is to identify what measures you need to take in order to be compliant. Once done, you will know what needs to change and can create your action plan accordingly. Prioritise the actions against risk and don’t forget resource (time/budget) estimates.
Step 5: Hire external help
You can now start to implement the changes. Some tasks will be fairly simple and low risk, for instance updating your organisation’s privacy policy. While others, such as data breach notification and consent requirements, will very likely be a costlier and higher risk task.
There will very likely be some tasks that you cannot solve internally or without help. When you encounter these, do not hesitate to hire external specialists.