10 Steps to GDPR Readiness
How do you know when you’re ready? REALLY ready?
This question is more than just a one-in-a-lifetime moment in a person’s mind watching their spouse-to-be walk down the aisle. It pops up at all major crossroads and significant milestones: college graduation, the birth of your first child, starting a new business.
You can add a new professional milestone to your list: On 25 May 2018, the European Union General Data Protection Regulation (GDPR) takes effect.
OK, it may not carry the same significance as your marriage. But if you’re involved with the collecting, storing, or analyzing of personally identifiable information (PII) of any European citizen, you will want to get ready for this.
Follow this checklist to help prepare your organization for the first comprehensive attempt at establishing data compliance standards across national economies:
Step 1: Staff Preparation
Identify and hire (or outsource) key personnel responsible for knowing the changes and impact GDPR brings to your business. Know the penalties for noncompliance and educate all leadership of GDPR’s significance.
Designate someone to be responsible for data protection compliance. Some organizations will require a Data Protection Officer (DPO), including:
- A public authority (except for courts acting in their judicial capacity)
- An organization that carries out the regular and systematic monitoring of individuals on a large scale
- An organization that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions
Step 2: Data Scrub
Find and inventory all currently stored personal data. Determine its purpose, source, distribution, and relevancy (why do you have it?). These are questions you’ll need to answer for all PII-related data.
Step 3: Update Privacy Notices
Review and update your existing privacy notices to capture GDPR changes. These notices must explain how you intend to use information, the lawful basis for processing it, and how long you intend to keep it. Privacy notices must be provided in clear, concise language—no legal mumbo jumbo.
Step 4: Understand Individuals’ Rights
Now is also the time to check your procedures and discover how your systems support individuals’ rights. Under GDPR, individuals have enhanced protection rights, including:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
Step 5: Review Access Requests
Ensure your processes can handle requests within the new 30-day timeframe. If you handle significant request volumes, consider the implications of answering these requests more quickly.
Step 6: Document Your Legal Bases
Under GDPR, some individuals’ rights will be modified depending on your lawful basis for processing their data. You should document your legal bases to help you comply with GDPR’s accountability requirements.
Step 7: It’s All about Consent
You should read the detailed guidance the ICO has published on consent under the GDPR, and use the consent checklist to review your practices. Review how you seek, record, and manage consent and update methods to account for GDPR changes. GDPR requires special protection for children’s personal data, particularly in the context of commercial internet services, including social networking. Under GDPR, children under 16 may not give consent without approval from persons holding parental responsibility.
Step 8: Tell Us about Your Breaches
Have a plan in place to effectively detect, report, and investigate any data breach. Larger organizations will need policies and procedures for managing data breaches. Failure to report these breaches may result in fines (on top of the fines for the actual breach).
Step 9: Protect by Design
Conduct a Privacy Impact Assessment (PIA) in order to adopt a design approach to automatically include protecting data privacy in your processes. GDPR explicitly mandates “data protection by design” and makes PIAs mandatory under specific circumstances.
Step 10: International Implications
If your organization operates in more than one EU member state, determine and document the location of your lead data protection supervisory authority. This is only relevant where you carry out cross-border processing (i.e., you have establishments in more than one EU member state, or you have a single EU establishment that carries out processing that substantially affects other EU member citizens).
How Can FileFacets Help?
If you are unsure of your organization’s readiness when it comes to protecting the rights of data subjects (Chapter 3 of GDPR), let FileFacets help you understand and meet the requirements.
FileFacets provides the platform and methodology to help businesses comply with the EU’s GDPR. With years of experience in information governance, FileFacets provides the tools for acquiring data, and identifying and actioning of personal data from multiple sources.