May 25th, 2018 is the effective date for the General Data Protection Regulation (GDPR). On this date, significant changes to European Union (EU) data protection laws will be in place, users will enjoy significant control over how organizations manage their data and organizations found not compliant could face fines up to 4% of annual turnover or €20 million. A reminder: the GDPR applies to any organization that is processing data or providing goods or services, whether paid for or not, to citizens residing within the EU.
With little time remaining before the May 25th deadline, what can leaders do if they are struggling to comply with the new law?
The following steps don’t represent a comprehensive task list to achieve compliance with the GDPR, but these recommendations provide a starting point for activities to prioritize as the deadline nears.
Conduct a data inventory
Being unaware what data an organization is holding and responsible for after May 25th won’t be viewed favorably by supervisory authorities (regulators in each EU country). Because many organizations don’t pay close attention to data retention and inventory, some may be shocked to discover the volume of unnecessary data they store or process. As part of the inventory, organizations should determine the category of data being processed. Is it Personally Identifiable Information (PII)? Are there special categories of data being processed, such as biometric data or health data?
Minimize data processing
Under the GDPR, the mere act of saving data is deemed to be processing. Once a data inventory is complete, steps should be taken to minimize the volume of data processed. Any data no longer required to be retained should be securely deleted with a record kept of the deletion.
Undertake a risk assessment
Using the data inventory, organizations should undertake a risk assessment. The GDPR requires a risk-based approach is taken to ensure organizations are GDPR compliant. More information about how to successfully undertake a risk assessment is described in my ISO/IEC 27001 Big Picture course.
Protect data through security controls
Ensuring an organization has sufficient technical and organizational controls in place to protect data is a mandatory requirement of the GDPR. A formal security program is expected with technical, administrative and physical safeguards in place to protect data.
Determine if a Data Protection Officer is required
Under the GDPR requirements, some categories of organizations will need to appoint a Data Protection Officer (DPO). The role of a DPO has significant power and independence within an organization, and may be an employee or an outsourced service by a specialist provider. If you determine a DPO is not required, the reason for this decision needs to be formally documented.
Provide education for staff
Your teams need to be aware of new responsibilities that will be ongoing post-May 25th. All team members with access to data need to be fully trained on what obligations the GDPR places on organizations, and the enhanced rights users acquire in relation to the management of their data.
Document a plan for the future
It’s likely that organizations will have some work remaining after May 25th. In addition to the obligations already mentioned, organizations must also prepare more fully for a data breach, ensure clarity of consent from users, provision the ability for users to take all their data from an organization in digital form, honor the right for a user’s data to be erased, and more. Being able to provide supervisory authorities with a detailed plan for GDPR compliance will help demonstrate that you take the new law seriously. This will also keep your teams focused until all requirements are met and your organization is fully compliant.
The GDPR marks a shift in data protection worldwide. This is new territory for leaders and their respective supervisory authorities as the GDPR provides regulators the power to take action against organizations that fail to comply. To jump start your GDPR preparation, commit to understanding the data being held by your organization, undertake a risk assessment to identify vulnerabilities, then ensure there are technical, organizational and physical controls in place. These are critical first steps to running a digital business come May 25th—and beyond.