7 Steps To Ensure Your Business Is GDPR Compliant
Last Updated on May 23, 2018 by Brette Rowley
Have you procrastinated and waited until the last minute (or past the GDPR deadline) to get your company’s data in order? We’ve broken it down into 7 steps to make sure you’re compliant:
Document Existing Data Policy
If you haven’t already, use this as a reason to get organized when it comes to your data. Create a folder on your company’s file system that will house all of the details regarding your data collection, processing, and storage.
We recommend starting with a data map to outline what data is collected by your business and where. From there, separate the data into categories so that you can more easily identify the lawful basis for processing each category of data.
Document diligently, as this could serve as proof in your defense if needed.
Understand The GDPR Requirements
Involve key stakeholders and executive leadership to place a high priority on cyber preparedness. These may include representatives from marketing, finance, sales, operations and any group that collects, analyzes, or makes use of customer data.
Make sure that everyone is on the same page in regards to the requirements of the new regulation and how your business must move to adhere to it.
Some key questions to ask:
- How will you have users give consent in accordance with the regulation?
- What is the process for deleting data?
- How will you ensure that data is truly deleted across all systems?
- How will you transfer data if requested by a consumer?
- What processes are in place to ensure that the person requesting changes is, in fact, the person they say they are?
- What is the outreach plan in the event of a breach?
Hire Or Appoint A DPO
Determine if you can simply add these duties to an existing position or if you’ll need to hire a new team member to do the job. Virtual DPOs are also an option as the regulation allows for a DPO to work for several companies as a consultant.
Identify And Correct Non-Compliant Processes
Compare your data audit to the requirements of the GDPR paying specific attention to privacy, rights and processes, data requests, data processing, and consent.
A large part of the compliance may be setting incident response plans. Under the GDPR requirements, businesses must report a breach within 72 hours of the incident. Make sure your team knows how to respond in the event of a security breach.
Conducting a risk assessment will also allow you to uncover Shadow IT. Matt Fisher, SVP at Snow Software, likens Shadow IT to an iceberg. “The iceberg effect poses a serious risk to organizations’ GDPR compliance as many are focused on the 10 percent of applications holding personal data that are visible at the water’s surface,” he says.
Other internal tasks to take on include:
- Create a Password Policy.
- Ensure your website is HTTPS.
- Create a Data Retention Schedule and Destruction Policy.
- Contact your contact base to prompt them to “opt in.”
Communicate With Partners And Vendors
The risk of Shadow IT makes it critical to communicate with your third-party vendors and partners as well. Under the regulation, both data processors and controllers are liable in the event of a breach. That means, if you use a separate data processor who is not in compliance, your business is on the hook as well.
Report Your GDPR Compliance Progress
In Article 30 of the GDPR, it requires companies to complete the Record of Processing Activities (RoPA). This helps companies take inventory of risky applications and enables them to have a clear picture of how data moves throughout their departments and software.
Ask For Help (If Needed)
Feeling a bit overwhelmed? Ask for help. At Softsys Hosting, we’re fully prepared to help make sure you feel confident in your data storage and protocols.