Getting ready for GDPR compliance is more than just implementing a number of technical solutions. Attaining compliance involves taking the right steps to firstly achieve compliance and then implementing monitoring activities to ensure it is sustained. There are no certificates to gain GDPR compliance so it is up to each organisation to implement a solution that proves compliancy.
Step 1: Understand why you need to be compliant
Apart from the large fines that you may incur by not ensuring that your organisation is GDPR compliant there are many business reasons for sustaining ongoing compliance. A key advantage is the opportunity to review your data to determine what you need to keep and what you can discard. This process allows you to assess the security levels of the data and to review your legacy data and the amount of duplication in your environment. As most companies allocate an IT budget for GDPR compliance, it is an excellent opportunity to implement new solutions that you have not been able to justify in the past. Remember that for many organisations GDPR will require a change in mindset. At its core is respect for the individual and the data that you hold about them.
Step 2: Determine processes already in place, run a gap analysis
Most organisations have a certain number of compliance solutions in place already even though they may not be implementing them. On the other hand, whilst they may be implementing compliance solutions, they may not have formally documented the processes and procedures. To do so you may wish to query the following:
- How compliant are you with the data protection laws currently in force?
- How sophisticated is your organisation with respect to data protection?
- What policies and procedures are in place and how are they documented?
Review what your organisation does currently when asked by a subject for Personal information held on them. Refer to GDPR requirements and work out what you need to do to get there. This resulting ‘gap analysis’ is one of the most crucial steps on the GDPR compliance roadmap.
Step 3: Work out a timeline
Organisations are expected to be compliant by 25th May 2018. Weather you meet this deadline depends on your gap analysis. The priority is to ensure that you are on the road to compliance, not doing anything is not an option.
Step 4: Make a Plan
Gather key stakeholders, review the guidance available, start with a kick off meeting and ensure you have regular meetings throughout the whole project. Determine governance, resources and budgets. To be able to ensure compliance with GDPR, you will need a clear picture of what personal data you collect today, how you use it, where you use it, and with whom you share it. Inevitably you will not be able to implement all the changes immediately so you will need to identify time critical resources, technologies and processes and thereby establish your list of priorities.
Step 5: Pause and Review
Many people go from the Plan to the Implement stage. The pause and review step is vital. At this stage you have far more information available than you had when you first ran your gap analysis. You may have remedial steps that were lower down on the original list of priorities. These steps are still important, but are likely to be lower risk, easier to implement and will not require such a long lead-in time so you may want to implement them for quick wins.
Step 6: Implement change
Now it is time to get started on those remedial steps and to make use of the new opportunities you have identified (and prioritised). Here are just a few things you need to be doing at this stage:
- Put in place policies and governance structures that will allow you to comply with the various requirements of the GDPR and to demonstrate compliance in accordance with the principle of accountability
- Allocate or re-allocate responsibilities within your business for the various tasks under the GDPR to avoid liability
- Put in place processes required to comply with the procedural obligations under the GDPR. For example, notify regulators and data subjects (if required) in the event of a data security breach and respond to data subjects exercising their rights (such as to data access to the data, right to be forgotten, portability of data)
- Roll out a programme of training for your employees
- Make technical changes to your websites and online platforms relating to legal notices, general terms and conditions, privacy policies and forms used to collect data (and any relevant consents)
- Re-negotiate existing contracts with customers and data processors (if possible), and amending your templates for future contracts
- Refresh your consents (if required)
Step 7: Follow up with on-going monitoring and maintenance
As you start to use your new policies and processes, you may find that they do not work perfectly on a day-to-day basis, or that things could be done more efficiently. The next two years will be a learning process for your business. The key will be to be able to identify any problem areas, work to find a solution and make sure that solution is GDPR-compliant.
GDPR, and your business, will not stand still. While it is unlikely that there will be significant changes to the text of GDPR anytime soon, we do expect to see a lot of guidance over the next two years, at a national and international level, on how it should be interpreted.
During this time your business, and the way it uses personal data, may well change. As well as being compliant on 25 May 2018, you will need to ensure that you remain compliant on an on-going basis from then on.