4 steps to getting started with GDPR compliance
Most data managers have now heard enough about the European Union’s General Data Protection Regulation that they’ve moved beyond denial, anger, bargaining, and depression to grudging acceptance that it will indeed require major changes in their operations. But this leaves many wondering exactly how to move ahead in adapting to the new regime. Here’s a checklist of initial steps to take as the May 2018 compliance deadline moves rapidly closer.
Put someone in charge
More than anything else, GDPR is about process. Many organizations impacted by GDPR need to appoint a data protection officer who will be responsible for defining procedures to ensure compliance. This person needs to be an expert resource who builds awareness and trains people within the company about compliance procedures and is the point of contact for external authorities when there’s a question, complaint, or, heaven forbid, breach to report. GDPR has strict rules to ensure the data protection officer has the resources, independence, and senior management access needed to do their job effectively. Like nearly everything else about GDPR, this is really forcing companies to do things they should do anyway, but in practice often have not given high enough priority to accomplish effectively.
Check your procedures
GDPR requires documented procedures for many things, including defining the legal basis for using data you acquire; delivering privacy notices and acquiring explicit consent when required; managing access to data by users within and outside the company for specified purposes; handling requests by customers and other data owners to review, correct, delete, or share their data; assessing security and the impact of any data breaches; training employees in data handling; and building privacy considerations into system designs. With some notable exceptions, GDPR generally avoids specifying process details and instead puts the burden on companies to demonstrate that their processes are suitable to their particular situation. The first step in meeting this standard, of course, is having documented processes for regulators to assess.
Meet technical requirements
GPDR does have some explicit requirements, such as responding to customer complaints within 30 days, sharing or erasing customer data on request, keeping records of who sees which data and reporting breaches within 72 hours. Other capabilities such as data classification, encryption, and centralized customer data management may not be explicitly specified but are almost inevitably needed to comply. Most organizations will need to do a detailed technical assessment of their systems and determine what changes they need to make.
Define a governance structure
Compliance with GDPR will clearly be a moving target as regulatory rulings clarify what’s expected, best practices evolve, and technologies change. Your firm will need a governance structure to ensure your processes keep up with the changes. One key element of this governance process will be Privacy Impact Assessments, which assess the risk of any proposed data use, balance that risk against the business value, and determine when to ask permission from a supervisory authority. The data protection officer will play a key role in governance but GDPR also touches the legal, compliance, human resources, training, IT, insurance, security, procurement, marketing, customer relations, and communications departments. All must be engaged in the governance process.
Of course, this checklist just scratches the surface of the actual steps your company will need to take to comply with GDPR. Moving to a deeper level requires detailed assessment of your specific situation. The important thing is to get started on that assessment, working with experts you train or hire. After that first step, every company will follow its own unique path.
If you want some idea of where your company’s own path might lead, here are some resources:
- "GDPR Compliance and Its Impact on Security and Data Protection Programs," Osterman Research for CipherCloud http://pages.ciphercloud.com/osterman-report-GDPR-compliance.html
- "GDPR Checklist," Norton Rose Fulbright http://www.nortonrosefulbright.com/knowledge/publications/139464/gdpr-checklist
- "GDPR Compliance Checklist," Latham Watkins http://www.globalprivacyblog.com/files/2017/05/GDPR-Compliance-Checklist-003.pdf
- "The GDPR at a Glance," Linklaters www.linklaters.com/pdfs/mkt/london/General_Data%20Protection_RegulationGDPR_Brochure_WEB_FINAL_Spreads4.pdf
- "Preparing for Compliance with the General Data Protection Regulation (GDPR)," SANS Institute https://www.sans.org/reading-room/whitepapers/analyst/preparing-compliance-general-data-protection-regulation-gdpr-technology-guide-security-practitioners-37667
- "Preparing for the General Data Protection Regulation (GDPR)," Information Commissioner’s Office (UK) https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- "EU GDPR Summary of Key Provisions," Promontory Financial Group www.promontory.com/uploadedFiles/Articles/.../151221_GDPR_compromise_A4.pdf