10 Steps to GDPR Readiness

10 Steps to GDPR Readiness

How do you know when you’re ready? REALLY ready?

This question is more than just a one-in-a-lifetime moment in a person’s mind watching their spouse-to-be walk down the aisle. It pops up at all major crossroads and significant milestones: college graduation, the birth of your first child, starting a new business.

You can add a new professional milestone to your list: On 25 May 2018, the European Union General Data Protection Regulation (GDPR) takes effect.

OK, it may not carry the same significance as your marriage. But if you’re involved with the collecting, storing, or analyzing of personally identifiable information (PII) of any European citizen, you will want to get ready for this.

Follow this checklist to help prepare your organization for the first comprehensive attempt at establishing data compliance standards across national economies:

Step 1: Staff Preparation

Identify and hire (or outsource) key personnel responsible for knowing the changes and impact GDPR brings to your business. Know the penalties for noncompliance and educate all leadership of GDPR’s significance.

Designate someone to be responsible for data protection compliance. Some organizations will require a Data Protection Officer (DPO), including:

  • A public authority (except for courts acting in their judicial capacity)
  • An organization that carries out the regular and systematic monitoring of individuals on a large scale
  • An organization that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions

Step 2: Data Scrub

Find and inventory all currently stored personal data. Determine its purpose, source, distribution, and relevancy (why do you have it?). These are questions you’ll need to answer for all PII-related data.

Step 3: Update Privacy Notices

Review and update your existing privacy notices to capture GDPR changes.  These notices must explain how you intend to use information, the lawful basis for processing it, and how long you intend to keep it. Privacy notices must be provided in clear, concise language—no legal mumbo jumbo.

Step 4: Understand Individuals’ Rights

Now is also the time to check your procedures and discover how your systems support individuals’ rights. Under GDPR, individuals have enhanced protection rights, including:

Step 5: Review Access Requests

Ensure your processes can handle requests within the new 30-day timeframe. If you handle significant request volumes, consider the implications of answering these requests more quickly.

Step 6: Document Your Legal Bases

Under GDPR, some individuals’ rights will be modified depending on your lawful basis for processing their data. You should document your legal bases to help you comply with GDPR’s accountability requirements.

Step 7: It’s All about Consent

You should read the detailed guidance the ICO has published on consent under the GDPR, and use the consent checklist to review your practices. Review how you seek, record, and manage consent and update methods to account for GDPR changes. GDPR requires special protection for children’s personal data, particularly in the context of commercial internet services, including social networking. Under GDPR, children under 16 may not give consent without approval from persons holding parental responsibility.

Step 8: Tell Us about Your Breaches

Have a plan in place to effectively detect, report, and investigate any data breach. Larger organizations will need policies and procedures for managing data breaches. Failure to report these breaches may result in fines (on top of the fines for the actual breach).

Step 9: Protect by Design

Conduct a Privacy Impact Assessment (PIA) in order to adopt a design approach to automatically include protecting data privacy in your processes. GDPR explicitly mandates “data protection by design” and makes PIAs mandatory under specific circumstances.

Step 10: International Implications

If your organization operates in more than one EU member state, determine and document the location of your lead data protection supervisory authority. This is only relevant where you carry out cross-border processing (i.e., you have establishments in more than one EU member state, or you have a single EU establishment that carries out processing that substantially affects other EU member citizens).

How Can FileFacets Help?

If you are unsure of your organization’s readiness when it comes to protecting the rights of data subjects (Chapter 3 of GDPR), let FileFacets help you understand and meet the requirements.

FileFacets provides the platform and methodology to help businesses comply with the EU’s GDPR. With years of experience in information governance, FileFacets provides the tools for acquiring data, and identifying and actioning of personal data from multiple sources.