If you’re paying attention, you’ve probably already seen a handful of GDPR-related headlines just today, let alone in the last week or month. But there are two good reasons for the deluge of GDPR discussion right now – it’s incredibly important and the time to act is now.
If you’re one of those ninth inning, hit it out of the park types, you’re up. The EU has imposed a May 25 enforcement deadline for any organization, regardless of location, that does business with any number of EU’s approximately 5,000 citizens. And non-compliance could cost you the ball game with a price tag of up to 4 percent of your annual revenue or €20 million, whichever is higher.
In a recent survey of Fortune 500 firms, 98 percent reported being on track with GDPR compliance efforts. Unfortunately though, the survey then went on to show far too many no’s to specific ‘have you done’ questions. Organizations just aren’t as ready as they think and odds are good you could be more prepared too. If you’ve procrastinated on this process – and just about everyone has as studies show – start now by taking a hard look at these 3 foundational areas.
- Build your team: GDPR requires the appointment of a Data Privacy Officer. This could be a new position filled by additional headcount or you could add / change duties to someone already on staff. This position could be a full time employee or an external consultant. Regardless of the approach you take, someone with compliance expertise is needed to inform your organization of their GDPR obligations, monitor compliance and serve as the liaison with the supervising authority. You’ll need a DPO at a minimum but even better is the appointment of a cross-functional team that can educate others in the organization while planning for and responding to data privacy issues across the organization.
- Map your data: Identify the data sets in your organization’s control (for both customers and employees) and the legal basis for processing personal data. Also, if you have more than 250 employees, maintain documentation of all processing activities that includes controller and processor contact information, purposes for processing, categories of subjects and personal data, recipients of data disclosures including country or international organization, and your in-use security measures. Records of this information will need to be available if the regulating authority wants to perform an audit.
- Write an incident response (IR) plan: In the event a security incident does occur, GDPR requires disclosure to supervisory authorities and applicable users within 72 hours. So that you may issue notifications within that time period, develop an IR plan that clearly defines what constitutes a breach, the rules that apply, and the assets you have in play to investigate and respond. Remember, you can avoid notification requirements if you can render the personal data unintelligible or inaccessible.
Meeting GDPR compliance is a complex process whereby many more details must be addressed. Learn more tips in the webinar I participating in with the IT GRC Forum: GDPR Compliance Masterclass. You’ll gain some pretty valuable insight from the distinguished panel. As we enter the home stretch for this regulation, it’s definitely better to be late than never.