Preparing for regulatory changes can be overwhelming. Whether or not you sell products and services within the EU or process the personal data of EU data subjects, the General Data Protection Regulation (GDPR) will likely impact your organization. If you are preparing to be GDPR compliant, there are manageable steps you can take to get ready for the May 25th deadline.
Whatever changes you make, you’ll want them to last for the long-term. The GDPR deadline is a great reason to upgrade your data management process. Not only will this help you meet regulatory requirements; it may also position you at a competitive advantage. Charting a path toward GDPR compliance has numerous long-term benefits for your organization. Here’s a high-level action plan you can get started on today.
1. Consider Which Functions Benefit From GDPR
Getting ready for GDPR can catalyze the changes you’ve been meaning to make but have been putting off. A digital overhaul of previously manual processes may be in order. GDPR will impact your compliance department. Are there other departments within your organization that will also benefit from digitization? You may find that by becoming GDPR compliant, you’re in a better position to achieve better ROI from one or more departments. For example, consider:
- Business intelligence
- Risk management
- Machine learning
- Finance and accounting
- Fraud detection
- Budget forecasting
- Outsourced labor management
- Human capital management
2. Conduct a Data Audit
After you’ve decided which parts of your organization will map to GDPR preparation, conduct a significant data audit. What is the data journey through your organization? Wherever data comes in or leaves your organization, it’s important to understand where personal data comes in. Personal data is information related to a natural person or “data subject” that can be used to directly or indirectly identify the person. Personal data includes:
- First and last names
- Social security numbers
- Dates of birth
- Home and work addresses
- Bank account numbers
- Credit and debit card information
This data audit can’t be purely manual. Engineers and auditors should work together to comb through these volumes of data in order to classify them and standardize the audit. Several teams and stakeholders are involved in an organization’s data. It’s important to pinpoint the decision-makers and key entry and exit points, in order to anticipate the impact and risk of GDPR. To educate your team, earlier is always better.
3. Conduct a Technology Audit
There are many built-in technology solutions to help with GDPR compliance. For instance, if you use a networked communication platform like AtHoc, it is already compliant with FedRAMP programs. FedRAMP compliance is already focused around data protection and strict cyber security measures. In addition to networked platforms, assess which technology solutions, you have for the following:
- Customer data platforms
- Information mapping
- Tag management
- Third-party tools
Your technology will provide guidance on how you can improve data management. For example, companies and government agencies can optimize their processes through data centralization and new security processes.
4. Assess Your Communications and Disclosures
One of the main goals of GDPR is transparency around privacy and data protection practices. Simple and effective notifications are required to obtain consents that are “freely given, specific, informed and unambiguous”. You can get out ahead of these communications by assessing your current privacy notices. All privacy notices must clearly indicate:
- What personal data will be processed
- The purpose for which the personal data will be processed
- Why the personal data is necessary for that purpose
- Indicate whether personal data has been directly obtained
- Indicate how data is kept, how long it is kept, whether and to whom it is transferred, and inform of the right to lodge a complaint or withdraw consent
- How to contact the organization’s Data Protection Officer
5. Call on an Attorney
At its core, the GDPR is a legal directive. It requires legal knowledge to minimize the risk of missing a step. Once you have mapped your data flows and audited your tools and challenges, seek the assistance of a legal team. Doing so will ensure that you can maintain business continuity avoid any disruptions to your operations, and minimize the risk of costly fines.
One of the key tenets of the GDPR is that every EU resident has the right to know and decide how their personal data is used and stored. If they want, they have the right to request the erasure of their personal data (“the right to be forgotten”). You will need to have the tools and processes in place to respond to these requests. You’ll want to make sure that you have a legally viable process for finding and managing personal data within your own databases.
Taking the above steps will help you not only meet GDPR requirements, but maximize the benefits of digitally upgrading your organization. In addition, these steps are designed to be compliant for the long-term. Getting ready for the GDPR is no small feat. It requires preparation, coordination, and execution. Taking a holistic view of GDPR compliance means you can improve customer experience at the same time.