7 steps to ensure an organization is GDPR-ready
With only two months until the EU’s General Data Protection Regulation goes into full effect, many organizations still seem to be slow-moving when it comes to compliance.
In fact, nearly one in four London businesses reported that they were unaware of the new data protection regulation with just weeks before the May 25 deadline, according to a London Chamber of Commerce and Industry (LCCI) survey. The survey also found that of the business decision-makers who are aware of and believe that GDPR will affect them, only 16 percent said their business is prepared for it.
Not only are these numbers significant, but so too are the consequences of failing to get on board. Until now, the EU’s data protection standards and rules lacked the teeth to command compliance. But now, under GDPR, financial penalties for data protection violations are severe – €20 million (nearly $25 million USD) or 4 percent of annual global turnover (whichever is higher) to be exact. And it’s not just EU-based businesses that GDPR affects, but any organization processing personal data of EU citizens.
While this all sounds ominous and complex, it doesn’t have to be. Foundationally, GDPR compliance is about following sensible information management practices – something all businesses should be practicing – to secure and organize the heaps of customer data they collect. In fact, oftentimes the biggest obstacle for businesses is that employees do not follow their organization’s information governance policies, whether it’s because storing content in these platforms is onerous or simply due to ignorance of the rules.
To become GDPR-compliant before the looming deadline, here are seven practical steps to both improve employee awareness around proper data governance and the practices which make it more likely people will follow the rules.
1. Get Consumers’ Consent
Companies across industries are collecting more consumer data than ever before. Under GDPR, be clear about what information you’re collecting, how it will be used, and have a legal document in place that clearly outlines both. Another option is to only collect data you need – if you don’t need to know a person’s gender for a specific reason, consider eliminating those prompts on your website.
2. …And Honor Their Wishes
As part of the GDPR, ‘The Right to be Forgotten’ will allow consumers to demand that an organization deletes any data they hold on them. In order to honor this, be sure that all personal information is moved to a central environment so it can be easily and thoroughly removed. Which leads to our next step:
3. Unify Your Data
Aim to store all personal customer data in one, central environment, or connect on-premises and cloud deployments. If this is not possible, make sure that departments have one single space for storing data. Eliminate shadow IT and train all staff to be compliant with these practices.
4. Give Your Data a ‘Spring Cleaning’
One of the easiest ways to begin complying with the GDPR is to perform an audit of all the information you currently hold and search for any personally identifiable information that may exist across your organization. Move what you want to keep to a central repository and delete the rest.
5. Make Information Easy to Find
As of May 2018, consumers will have the right to demand a ‘subject access request,’ in which companies must be able to provide them with a file containing all the information you hold on them. To be compliant, you will need to confidently collect data from all your systems about a specific customer. This may involve collecting data from multiple systems, so have the technology and processes in place to do so.
6. Automate Records Management
Personal customer information that your staff receives must be recorded centrally, have permissions and metadata tags applied and be destroyed when no longer required. Don’t keep paper records, and implement strict, automated processes about how long you hold onto this information and when it’s no longer needed.
7. Last, But Not Least: Make Sure Information is Secure
Under GDPR, companies must store any data they collect via internal systems in a secure platform. Assess your current cybersecurity measures, make sure basic security procedures such as encryption and password protection are in place and then promote security best practices amongst members of your organization.
With the looming GDPR deadline, it’s important for organizations to start implementing practices that improve data management practices company-wide – and the time to do it is now. From determining how to securely store and organize data to auditing the processes already in place, business leaders can use these seven practices to close the GDPR compliance gap once and for all.