With less than eight months before the European Union’s General Data Protection Regulation (GDPR) goes into enforcement, there isn’t a moment to lose for subject companies. On May 25, 2018, inaction could cost up to 20 million euros or 4 percent of total worldwide annual revenue, whichever is higher.
To get you started, we’re sharing five tips from our GDPR Compliance Guide. After helping dozens of our clients plan for compliance, we believe these are the essential tasks GDPR-subject companies must have implemented before next May.
And if you aren’t sure if your company is subject to the GDPR, get this datasheet. It summarizes the general categories of subject companies and will jumpstart your process.
1. Solidify your data-transfer mechanism
If you’ve read this far, we assume your company isn’t located in the European Union. That means you’ll be transferring data across the economic region’s borders. Whether you choose to self-certify according to the Privacy Shield pact, a Model Clause agreement, or another mechanism, you must have a way to meet your responsibility for the confidentiality, integrity, availability, and durability of those data you’re transferring. While you’re marshaling your resources for the rest of the compliance battle (see below), begin the process of firming up your data-transfer mechanism now.
2. Hire a Data Protection Officer
Assuming that your company is required to have one. It may not. If it is, this person will be responsible for bringing your company into compliance with the GDPR and developing the trainings and procedures to ensure you maintain compliance. If your company is large enough, you’ll probably need to hire one. Smaller companies may be able to ‘add another hat’ to someone already on staff. Either way, this person will be invaluable for leading the effort ahead.
3. Assemble your GDPR team
Your Data Protection Officer (DPO) will need support and insight from across your company, including: leadership, security (or, if unavailable, IT), privacy, compliance, legal, marketing, human resources, operations, and your board. Each member will play a complementary role in ensuring your company’s compliance. Unfortunately, there isn’t space here to explain each member’s roles. For that, please download the GDPR Compliance Handbook.
4. Map out your company’s data activities
A few years ago, companies could not collect enough data. Storage was cheap, the thinking went, so why not keep them all? They could become valuable in the future. Today, that data-collection party is over. Blame the GDPR. Now, your company must be able to define clearly its every intent for that data: its collection, storage, use and disposal. It’s a big lift, but it’s also an essential precursor to the final tip.
5. Assess your compliance posture
Is your data governance policy up to the GDPR’s standards? Are you getting consent from your data subjects correctly? Do your company’s procedures honor the seven data-subject rights defined by the GDPR? Your overall compliance posture is the sum of answers to many questions like these. To come into full compliance, someone at your company will need to check current policies and procedures against each of the GDPR’s 99 articles. If that sounds like a lot of work (it is), we recommend our GDPR self-assessment.
‘Not a moment to lose’
By the time you’ve completed all of the above steps, you’ll have a clear idea about the holes in your compliance posture. This is great! Truly, knowing is half the battle. From here you can devise a plan to fill in those gaps.