Is your company active in the European Union? Does your company has a client database?
Or a database with personnel data? A database with prospects and marketing contacts?
A database with personal accounting and invoicing details? If yes to one of these questions,
your company will have to be compliant with the new General Data Protection Regulation (GDPR) as of May 25th 2018.
This means that your organization has not much time left to prepare itself to comply with the new set of data protection rules. With fines of up to 4% of global annual turnover for failing to comply with the GDPR requirements, the stakes are high. Especially because the compliance must be demonstrable. So not only must it be done, it must also be seen to be done.
While the clock is ticking… where to start?
First of all, you need to install a ‘GDPR Compliance is not just the problem of the IT department’ mindset. GDPR not only has an impact on personal data processed via hard- and software applications but also looks at administrative procedures, operational practices and supporting documentation. This essentially means that GDPR compliance is a challenge for your entire organization. So the first step in setting up GDPR governance will be to get everyone on board.
1. Make an inventory of all processed personal data
What data enters and leaves the organization? What data is processed, how, why and by whom? What data is exchanged with subcontractors? For how long is this data stored? How is the data protected?, ....
2. Set up a GDPR compliancy roadmap
Both in terms of resources or quality, it is not possible to tackle everything at once. So you need to prioritize data processing activities, issues, gaps, risks and possible compliance actions. You will need to have a plan towards compliance linked to a feasible yet ambitious timeline.
3. Develop processes that protect privacy by design and by default
Your organization will have to prove that all data processes are set up in line with the GDPR requirements: data protection & confidentiality, security testing protocols, data breach notifications, … This means that your processes have to be designed GDPR compliant from the start, both technically as organizationally, and this by default.
While the clock is ticking... where to start?
4. Define data processors and a DPO
Note that the appointed data processors will be responsible and accountable, and that their contact details must be filed at your headquarters. On top of that, if e.g. your company has data as its core business, you will have to assign a data protection officer (DPO). This will be the external contact person and he/(she) is responsible for monitoring GDPR compliance.
The above action points offer you some handles to get your GDPR compliancy roadmap up and running. You can find out more about setting up digital governance in this SlideShare.