GDPR enforcement is here and businesses are taking various approaches to comply. Most noticeable was the flood of emails we all received from companies scrambling to update their privacy policies. Big tech companies are passing the buck onto individual businesses and publishers, making them responsible for any data they may collect. And to the extreme, some organizations are blocking all EU users including retailers like Dick’s Sporting Goods and Pottery Barn. Even the publishing house Tronc, which owns outlets such as The Chicago Tribune, went dark after GDPR enforcement took effect.
For any organization processing the personal data of individuals in the EU, GDPR has forced what must be a change in both business process and company culture. To do it right, organizations should make the management of data privacy risks a part of their DNA. It’s a lofty goal, but effective data risk management should be a strength that may then be capitalized on in the market place. Look at it from the carrot and stick perspective – the stick is the possibility of big fines, the carrot is effective data risk management capabilities that will be rewarded in the marketplace.
Compliance is a Marathon, Not a Sprint
What should some of these changes look like? For starters, you need a compliance officer, either a new-hire of a Data Privacy Officer or someone assigned with compliance responsibilities. This person should emphasize that managing data privacy risks is a continuous process and not just an exercise in GDPR or any other regulatory mandate.
Here are the top 5 things your compliance offer should focus on:
- Communicate clearly with leadership. Let senior leadership or the Board of Directors know where the organization is regarding risks and mitigation action plans. Accountability for completion of planned actions should be communicated and enforced.
- Train employees. Clear and concise information on the importance of data privacy should be continuously made throughout the organization. Training on GDPR or other data privacy regulations should be required for any employee who may access, process, transmit, or store personal information. Open dialogue with employees should be enabled to provide mechanisms for employees to share when privacy violations occur, or when policies, processes, or controls need improvement.
- Don’t forget partners. Open dialogue and communication between partners who process data on your behalf if your organization is a controller or if your organization is processing on behalf of a controller should be a priority.
- Test and audit. Testing and validation of data privacy processes and controls should be ongoing. Leverage internal audits to perform independent testing of processes and controls.
- Conduct incident response practice exercises. Control owners should perform table top exercises to ensure that everyone is familiar with incident response procedures.
For more ideas on how to comply with GDPR, take a look at my earlier post, Procrastinators’ Guide to GDPR Compliance.
When large initiatives like GDPR are rushed against a looming deadline, important pieces are often missed. The ability to step back and focus on what’s most important is often blurred. GDPR promotes a risk-based approach to compliance. If you aren’t ready, start by focusing your attention on the processing activities that have the most risk.
If you’re interested in learning more about compliance best practices and how to keep track of your sensitive information, listen to our now archived webcast: “Data Visibility: Your Path to Regulatory Compliance.”