What’s the Best Way to Stay Compliant with GDPR?
Steven Minsky | Oct. 3, 2018
We’d like to congratulate the 25% of US-based companies that achieved GDPR compliance by the May 25th deadline, and to share a little guidance on how to stay compliant over time.
As we all know, the GDPR is a huge deal. In addition to the scope of this new regulation, there’s also the consequences of non-compliance, i.e. up to €20 million or 4% of annual global revenue, whichever is higher.
Aside from incurring steep fines and lofty litigation, the risk of non-compliance also includes losing your customer base and investors to the competition, should a data breach hit your organization.
Every time you make an account online or even just make a one-time purchase, you’re putting a little bit of your well-being into the hands of an organization. If your data falls into the wrong hands, the impact can be huge, from money being drained from your accounts, to not being able to get that loan you need. The consequence of failing to comply with the GDPR, or any privacy regulation of the like, is so much more than a lawsuit or a hefty fine; it’s losing the trust, loyalty, and business of current and future customers.
So again, if you’ve already met GDPR compliance, congratulations! You’re paving the way to a better tomorrow!
But now that you’ve done everything you can to get your policies and procedures up to snuff and have declared compliance, what’s next? How do you maintain compliance over time? Your company will inevitably change, more data will flow in, and the processes that worked for X employees and customers won’t work for Y.
In my experience, professionals of all types who worked hard to achieve GDPR compliance are still anxious, not only about maintaining compliance over time, but about whether they actually achieved it in the first place, whether their compliance status would stand up to scrutiny, and what report they would pull to prove it.
I’ll take you through some steps you can take to maintain and prove GDPR compliance.
An Integrated Approach is the Best Way to Stay Compliant with GDPR
A critical mistake companies make when deciding how to tackle GDPR is looking at it like an IT-only or Compliance-only endeavor. Yes, data sounds like it belongs to IT, and yes, it’s a regulation so Compliance should be involved. But realistically, data of all types runs through every single department across the organization. Therefore, the best way to comply with the GDPR is to integrate every department into the compliance process.
Let’s think more about why an integrated approach is best. Most basically, the GDPR is a monstrously huge regulation, so breaking it down into small, actionable parts is in everyone’s best interest. Such a large task should never fall on one person or department.
Second, more heads are always better than one. How is one person supposed to know every single type of data being collected, who collects it, where it’s stored, how it’s protected, etc.? They just can’t. It takes a host of subject matter experts and process owners to get the answers to all these questions.
Third, sharing information across silos within one centralized platform drastically cuts down on the amount of time spent on achieving compliance. Different departments often share similar risks, so instead of taking the time to design two different controls or policies, you can kill two birds with one stone and design a centralized control. Of course, without communicating across silos, you never would have known to do that!
Lastly, every department really does hold a piece of the puzzle when it comes to data privacy. For instance, IT knows where data is stored, but they don’t necessarily know what kind of data it is. Rather, Sales might know that it’s the name, title, and company of potential customers, while Finance knows that it’s the billing information of current customers. You get the picture.
Taking an integrated approach is the best way to comply with the GDPR because it drastically reduces the headache, time, and effort it takes to achieve compliance.
The Best Way to Comply with GDPR
Last but not least, here are the steps that constitute the best way to maintain and prove compliance with the GDPR:
- Identify and assess the data you collect – Build out uniform risk assessments with standardized evaluation criteria to identify the kinds of data you collect, who’s collecting it, and how it flows through the company. In the same assessments, evaluate the criticality of the data. Administer risk assessments across departments and levels to get a full and accurate picture of the data your company collects.
- Perform a Readiness Analysis – Start compiling and looking into all of the data policies across the company. What parts of the GDPR do they cover? Have they proven to be effective? Are there any parts of the regulation you’re having trouble tying a policy to? This step, in combination with step 1, will help you prioritize how to tackle compliance.
- Fill in the Gaps – Once you’ve set a list of priorities and can home in on exactly which areas of the GDPR you need to address next, you can start designing and implementing new controls. Maybe you need a way to notify affected parties of a breach within 72 hours, or you need to create a workflow for when someone requests their data be destroyed. Whatever your controls are, make sure they’re operational across departments.
- Set Up a Flexible Reporting Structure – The best way to prove compliance to your board or regulators is to have a multitude of reports you can easily generate. You might consider a centralized risk management software that can house, pull, and analyze data, which could save you countless hours of hunting down information needed to prove compliance.
- Repeat – Make this an iterative process. Even if the GDPR doesn’t change for a few years, your company will. Processes that worked for 200 people won’t necessarily work for 400. Set up regularly recurring testing and monitoring activities to check in on your GDPR-related policies and pull reports on whether they’re working for the company.
These steps are the best way to keep up with GDPR compliance and defend your compliance status. An integrated approach will save you time and eliminate oversights that occur from a silo’d approach. Once you’ve successfully applied these steps to GDPR compliance, try them out on other governance areas in your business. I think you’ll find them helpful in a variety of scenarios as you pave the way towards a better tomorrow for your customers.