The General Data Protection Regulation (GDPR) is the most important change to data privacy in 20 years. In the wake of scandals such as Equifax, Target, and Yahoo!, and in a world of increasing transparency, data privacy is now top of mind for consumers and regulators everywhere.
The GDPR lays out a set of strict requirements that companies in every nation of the world must comply with when collecting personal data of any EU resident or business. Its objectives are to give European residents control over their personal data and to simplify the regulatory environment for international business.
The business impact of GDPR is serious; unlike previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy severe fines up to €20 million or 4% of annual global revenue, whichever is higher.
If your business is not subject to GDPR compliance today, it’s likely that you will be in the near future. Get a head start by taking steps today that enable you to maintain and prove compliance:
Step 1: Identify and assess the data you collect
Build out uniform risk assessments with standardized evaluation criteria to identify the kinds of data you collect, who’s collecting it, and how it flows through the company. In the same assessments, evaluate the criticality of the data. Administer risk assessments across departments and levels to get a full and accurate picture of the data your company collects.
Step 2: Perform a Readiness Analysis
Start compiling and looking into all of the data policies across the company. What parts of the GDPR do they cover? Have they proven to be effective? Are there any parts of the regulation you’re having trouble tying a policy to? This step, in combination with step 1, will help you prioritize how to tackle compliance.
Step 3: Fill in the Gaps
Once you’ve set a list of priorities and can home in on exactly which areas of the GDPR you need to address next, you can start designing and implementing new controls. Maybe you need a way to notify affected parties of a breach within 72 hours, or you need to create a workflow for when someone requests their data be destroyed. Whatever your controls are, make sure they’re operational across departments.
Step 4: Set Up a Flexible Reporting Structure
The best way to prove compliance to your board or regulators is to have a multitude of reports you can easily generate. You might consider a centralized risk management software that can house, pull, and analyze data, which could save you countless hours of hunting down information needed to prove compliance.
Step 5: Repeat!
Make this an iterative process. Even if the GDPR doesn’t change for a few years, your company will. Processes that worked for 200 people won’t necessarily work for 400. Set up regularly recurring testing and monitoring activities to check in on your GDPR-related policies and pull reports on whether they’re working for the company.
These steps are the best way to keep up with ever-evolving regulations associated with GDPR compliance, and continually defend your compliance status.