Get Ready for GDPR
Your step-by-step guide to getting into compliance before May 25
The May 25 deadline is nearly upon us, but there are still steps organizations can take to make progress before the regulators arrive. Start by reviewing General Data Protection Regulation (GDPR) to see if it applies to your organization. If the answer is yes, continue with the steps below.
1 Establish a record of data processing operations per Article 30 of the regulation. Specifics vary depending on whether an organization is a controller or processor, but in general, Article 30 requires that organizations establish and maintain a description of the categories of data subjects and personal data processed or monitored, as well as any recipients who will have access to the information. It’s important to note that Article 30 doesn’t constitute a data inventory, although detailed knowledge of where data is stored for your business will help with the larger effort of compliance.
2 Conduct a Data Protection Impact Assessment (DPIA). Focusing on high-risk processing operations, a DPIA analyzes how information traceable to data subjects is gathered, applied, shared and maintained. The document should describe the processing, including the justification for conducting it and the proportionality of the benefit compared to the level of risk to the rights and freedoms of data subjects. It should also evaluate the risks involved in terms of their origin, nature and severity.
The second key element of the DPIA is to identify the actions required to mitigate these risks, including security measures, safeguards and mechanisms to demonstrate compliance with the regulation.
3 Establish a roadmap to compliance. Start by identifying any gaps between the current system and GDPR requirements.
Next, draft a remediation plan. How will you make data easily accessible to a data subject at their request? What is required to enable an individual to have their data erased upon request? How will you change your process so that current and future development are designed from the beginning for compliance?
Depending on the size of an organization and the scale of its activities, achieving GDPR compliance can be both time-consuming and challenging. Beginning the journey through the aforementioned steps provides tangible progress and demonstrates good faith to regulators.
? Not sure if General Data Protection Regulation applies to your organization? Visit bit.ly/1TtydR4 to read the legislation in full.
Remember, legacy data and systems aren’t grandfathered into GDPR. Your roadmap needs to include a plan for locating the data categories of interest and accessing and processing individual records, regardless of the storage media involved.