Step #1: EXECUTIVE AWARENESS

As stated before, GDPR affects your business. It’s not simply a security issue. If your organization wants to keep up with global competitors and do business with EU citizens this is everyone’s issue. You have to get your entire executive team and the board on the same page, and in order to mitigate and continuously manage this, you need to name a Data Protection Officer (DPO).  

Step #2: PRIVACY OFFICE

Once you have the executive team on board—with funding and full commitment—it’s time to organize your privacy office. This should really be a full network; your entire organization should be looped in and everyone should be accurately updated on regulations and rules. Your DPO needs to align a privacy counsel and program manager to help roll out GDPR compliance all the way from the CEO to sales and marketing and support to IT ops, and so forth.

Step #3: MAP PROTECTED DATA

Everyone’s on board? Great. Now it’s time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it classified? Take an in-depth audit now. Is PII transferred across borders? Why and who is it shared with?

STEP #4: OPERATIONAL IMPLEMENTATION

It’s time to build and customize your company’s processes and Incident Response Process (which has to happen within 72 hours under GDPR). Your DPO should also assess your third party vendor risks at this time. Be thorough.

STEP #5: AWARENESS AND TRAINING (REPEAT)

Build new specifics into your new-hire training, but don’t forget about ongoing technical training for senior staff. Make annual security training mandatory and brief your executive leadership on new GDPR readiness.