With the May 2018 deadline looming, the 48% of organisations who said they are seeking or will be seeking advice, really need to do so quickly.
But what are the key things firms should be doing?
As GDPR places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located, the most important first step is to ascertain whether you are affected by the regulation or not. This involves a full data audit to work out whether you are processing personal data belonging to EU citizens. If the answer to this question is yes, then GDPR applies and you should have a plan around how you will evaluate your existing data to understand where it is, why you have it, how old it is, whom it belongs to and if the subject has given consent for you to hold that information.
Next, map your data against GDPR regulations, paying particular attention to the categorisation of your data, so that it can be safely deleted at the end of the timespan if the data is no longer needed for the original purpose, or if the subject requests it.
Review your cybersecurity and data protection policies. To comply with GDPR, data must be stored securely. Tokenizing or encrypting data will keep it secure and authentic. Ensure the data is portable and use non-proprietary systems with open standards where possible, to ensure that all data and associated files can be transferred to another system when needed.
Do you have monitoring tools which will give valuable insight into data breaches, or possible compromise of security defences? Firms need to be able to report notable breaches to the relevant supervisory authority within 72 hours of the organization becoming aware of it.
Review your supply chain to make sure they are compliant. Cloud providers, marketing and mailing companies, outsource partners such as HR and Accounts functions, all will be handling your employees’ or customers’ personal data. It’s not enough to assume they are covered, you are still responsible for your data, and ultimately you’ll be in the firing line if data is compromised.
Tick all your international compliance boxes and consider trans-Atlantic data transfers and client handling activity, and ensure GDPR activities also meet US regulations like Privacy Shield. Use the most stringent regulations as the yardstick.
Update internal policies and processes and communicate these out clearly and regularly so that staff and customers are aware of the changes. Review and update privacy notices and create a GDPR compliant process for data access requests. Plan and communicate how requests to move or transfer data will be addressed. Involve key stakeholders early and get them on board with your compliance activities in order to embed good behaviour before the deadline.
With the survey respondents stating an expected timescale of seven months to become GDPR compliant, and just eight and a half months before the deadline for compliance, there’s no time to waste.
As a certified GDPR body, RFA offers a suite of GDPR solutions, including (but not limited to) outsourced DPO.