The European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on May 25, applies to every company that offers goods or services to the EU or monitors the behavior of individuals within the EU. The aim of the GDPR is to ensure that an individual’s personal data is stored with consent, for a specific purpose and for a reasonable duration of time. Failure to comply with the regulation’s requirements could result in fines of up to €20 million or 4% of the offending company’s annual global revenue, whichever is higher.
The GDPR may require a lot of changes for companies that collect, process or store data on any EU citizens. By May 25, 2018 companies must address issues like:
- Privacy and security by design
- Privacy impact assessments
- Inventories and data-mapping of personal information across all business systems
- The appointment of a data protection officer (DPO)
- Evidence to demonstrate reasonable efforts put forth
Ensuring GDPR compliance requires a concerted effort across an organization’s entire executive team as the data protection officer must work with C-level executives and other senior leadership to properly identify and map out data inventories and processes, perform risk assessments, and conduct gap analyses. These additional projects can be costly and time-intensive tasks that often require additional resources.
Preparing for a significant security compliance change can be overwhelming. The most efficient way to achieve GDPR compliance is through interdepartmental collaboration and the use of technology solutions that automate and validate business needs such as policy compliance, data security and required reporting. As the deadline looms, most organizations should already have started assessing the business impact, devising a company-wide implementation plan and addressing additional resource needs.
Our Consultant can help your company achieve GDPR compliance. We follow the following six steps GDPR implementation plan:
1. Raise awareness enterprise-wide
The first step is to raise awareness of the GDPR at all levels of your organization. Develop recordkeeping and monitor best practices, engage in ongoing training outlining breach scenarios and causes, and create a culture of security across the entire organization. Ensure that employees not only understand the impact of these new regulations, but that they feel comfortable raising alerts and know who to go to if there is cause for concern.
2. Designate a data protection officer
The GDPR outlines specific organizations that must formally designate a DPO, including public authorities (except for courts) and private organizations where the core activities consist of processing operations that require regular and systematic monitoring of personal information on a large scale or large-scale processing of sensitive data or data relating to criminal convictions or offenses. EU or member-state law may require the designation of DPOs in other situations as well.
3. Create a data inventory
In order to understand the risks associated with how information is processed, stored and transferred, our consultants ensure that we fully understand how, what data your organization collects and processes. Once a detailed inventory list of data types has been created, each data set will be mapped end-to-end throughout the organization’s technology infrastructure to identify all physical and virtual places where data is held. This includes customers, employees, and third-party suppliers or vendors. Distribute these lists to internal departments and stakeholders to ensure that all data types and storage locations have been identified.
4. Evaluate risk and perform gap analysis
Next, we will take your inventory of data and processes and compare it to the GDPR requirements. We will also include third-party suppliers and vendors. Where are the gaps in compliance? Are there areas at risk of non-compliance in the future? What are the most immediate needs the company must satisfy in order to move toward GDPR compliance?
5. Develop a roadmap
Once we have identified all potential GDPR compliance gaps, your organization will develop a roadmap outlining required changes to processes and systems to conform with GDPR requirements. Some of these changes may result in the tightening of existing controls, while others may require that entirely new controls and processes be developed. We will guide you through all the stages.
6. Monitor and report progress and compliance
The GDPR regulations require “security by design,” which mandates that all IT professionals build compliance into the design of future business operations that capture, process or store data. Our data protection officer will work with all necessary business and IT teams to ensure that operational systems and data management workflows remain compliant and stay up-to-date with any GDPR announcements or changes.
For further consultation on how we can help your organization, please give us a call or email us for our case study. firstname.lastname@example.org