Much of the General Data Protection Regulation is based off the Data Protection Act which preceded it. However, just because organisations are compliant with the current DPA doesn’t mean they don’t have to do anything to get ready for the GDPR which applies from May 25th 2018. Here are seven steps that organisations can take to prepare.
Audit your Data
The first step of ensuring you are ready for the GDPR is to determine what data you have. Conduct an audit to determine what data you store and what data you process. How long do you store the data and for what reasons? What processes do you subject the data to and why?
Once you have determined what data you have and its purpose, you can begin structuring your policy accordingly.
Identify those responsible
Once you know what data your organisation holds you need to determine who is responsible for it. Who will oversee ensuring the data is handled in accordance with the regulation and adheres to the organisations policies.
Design and implement appropriate measures to protect the data
Ensuring that the appropriate mechanisms are in place to ensure the Confidentiality, Integrity and Availability of the data. Knowing what data your organisation handles will indicate what levels of security the different data requires. Designing the appropriate physical, procedural and technological measures to protect the data will allow the organisation to allocate resources efficiently and lead to reduced overall costs.
Develop processes to deal with breaches and incidents
Hope for the best, plan for the worst. Ensuring that there are processes in place to enact in the event a breach occurs is not only required by the GDPR but is good practice. Having these incident/breach response procedures in place will help minimise the damage done to the organisation if targeted.
Designate a Data Protection Officer and supporting team.
One of the key principles of the GDPR is the implementation of a Data Protection Officer. The DPO will be the one responsible for ensuring the organisations is compliant with the regulation. Depending on the size of the organisation and the complexity of the data pathways it may be necessary to designate a supporting team for the DPO to utilise.
Understand whose data you are controlling and/or processing
Consent rules all. The GDPR puts the responsibility on the organisation to gain specific and explicit consent for all personal data they handle. Consent must be gained separately for every purpose the data will be used for from the data subjects. Understanding whose data you are dealing with is imperative in order to gain consent and ensuring appropriate measures are in place to protect it. The GDPR also requires the organisation to inform the data subject in the event of a breach to any data related to the data subject, knowing whose data is involved is necessary to maintain transparency.
Develop a culture of privacy by design across the organisation
It’s not enough to just write a policy that makes the organisation compliant if it is not followed. Privacy by design means that “privacy” is considered and implemented from the beginning of the development. This applies to the development of technology, processes and policies. Ensuring the culture of the organisation is in line with this will mean that privacy measures are built in to the organisation from the ground up and will reduce the risk to the organisation as a whole. The organisations culture of privacy by design will help enforce compliance on all levels.
You can assess your state of compliance for free with a new Automated Compliance Manager – CyReg GDPR. It will take 5 minutes, but can save a lifetime of problems.
I Want to Know More