You’ve probably heard a lot of talk surrounding the General Data Protection Regulation (GDPR). GDPR applies to any company that does business with Europe, whether they are based in the EU or not. The new regulation will give users ultimate control over their data in where it resides, the ability to export, withdraw consent, and request access to it.
The regulation states that businesses must be compliant by May 25, 2018. Preparing for the deadline can be overwhelming, but it doesn’t have to be. The following checklist will help you and your business get compliant.
- Find out if the regulation applies to your business. You are subject to GDPR compliance if one of the three conditions apply to your business:
- If you process personal data on behalf of a data controller or data processor located in the EU
- If you process personal data by offering goods or services to data subjects located in the EU
- If you monitor the online behavior of data subjects located in the EU
- Conduct an inventory of your data. Identify your assets and their value to the company. When we talk about data, we’re referring to personal identifiable information (PII), social security numbers, patient/medical information, and credit card numbers. Where do your “high-risk” data subjects reside in your environment? The idea is to implement greater transparency into your environment.
- Get a Security Risk Assessment. Conducting a thorough Security Risk Assessment (SRA) can help you determine what vulnerabilities exist in your environment. It can also help determine if you’re legally compliant with the complex regulations as outlined by HIPAA, NIST, and other organizations. A good SRA will follow a standard framework such as ISO 27001 as governed by ISACA.
- Update your privacy policies. Consult your legal team or general counsel to get an evaluation of your existing privacy policies. The evaluation can help you see what’s missing in the policy. Your policy should clearly state how you process and use the data. You should have a record of modification for what has been added and communicate this to your clients.
- Enroll in Privacy Shield. By enrolling in Privacy Shield, you’re giving your organization extra coverage for GDPR compliance. It’s not full coverage and is only applicable to businesses submitting data from the EU to the US.
- Appoint a Data Protection Officer (DPO). Your DPO should be managing the compliance process for GDPR. This person will work with the legal team on updating the privacy policies, enrolling in Privacy Shield, and creating awareness among the organization about the importance of GDPR. This person is not just there to handle incidents; they are taking a proactive approach to being compliant.
- Develop an Incident Response plan and policy. The Incident Response team is comprised of senior level management employees who determine how your organization will respond to and handle any incidents that can occur. For example, if an employee in your organization accessed PII without authorization, you should have guidelines in place as to how you will notify your client and prevent this from happening again. Your DPO should be part of the Incident Response plan team and will help develop incident response policies. It is best to test this policy annually.
- Review your data retention policies to include the GDPR requirements of the “right to be forgotten” clause. The “right to be forgotten” references data that is no longer needed for the purpose it was originally collected. To comply, you’ll need to establish a reasonable retention period and define the retention period clearly in your policies and procedures. It’s best practice to also enhance your privacy notices to include consent and purpose. Additionally, you’ll need to have the record of modification visibly posted so your clients know when changes have been.
- Educate your employees. Talk to your employees about GDPR. Tell them why it’s important and work as a team to prepare together. All users should be well-aware of your company’s security policies and any subsequent updates.
- Do something! The process to become GDPR compliant can be time-consuming at nerve-wracking. Consult a lawyer or legal team to help you throughout the process. Be sure to document all changes you make to your processes and procedures. Taking the steps to get compliant will reduce your risk of vulnerabilities across your environment.
The GDPR deadline is May 25, but it’s best to start planning your compliance process now. Contact us today for more information on how we can help.