Is your business prepared for GDPR? We’ve put together six GDPR compliance steps that every business should take to meet the new regulation.
It’s finally here: the Friday 25th May 2018 deadline has been and gone, and the EU’s General Data Protection Regulation (GDPR) is now in full force. The flood of GDPR emails that has been hitting your inbox has likely dried up, and the GDPRmageddon that many foretold has failed to materialise. Time to write GDPR off as another millennium bug-style storm in a teacup? Sadly not. GDPR compliance is still essential if you want your firm to avoid hefty fines from the EU.
Have you taken the necessary steps to achieve GDPR compliance across your firm? In case you’re struggling, we’ve compiled six GDPR compliance tips your firm should take to ensure you don’t fall foul of the regulators.
Six GDPR Compliance Steps
No matter what your firm deals in, if you process personal data on EU citizens or offer goods and services in the EU, you will be bound by the rules of GDPR. If you’re wondering whether or not you are compliant, here are six GDPR compliance steps your firm should take now.
Step One: Commitment
Before you can go any further, you need commitment from the board level down that GDPR is high on your firm’s business agenda. Make sure that you document statements from the board that they are committed to undertaking a GDPR compliance programme, whether it’s headed up by an internal resource or an outsourced agent. And if you’re not compliant today, don’t worry – you just need to show that you’re taking steps towards compliance over the next three to six months.
Step Two: Interpretation
Searching for clarity within GDPR’s legislation is proving difficult for many. Over time, we expect case law to clarify many of the regulation’s ambiguities. In the meantime, though, your firm will need to settle on its own interpretation of how to meet GDPR requirements. You should produce justifiable business cases for all of the Personal Identifiable Information (PII) you hold, the scope of which isn’t only electronic but also includes paper documents, CCTV footage, backup tapes, and anywhere that PII can be found.
Step Three: Assessment
The assessment step comes in two parts. The first is to carry out a gap analysis of compliance risk factors that need to be addressed. And alongside this, you should undertake a mapping exercise to help you understand where PII data is held across your firm. When it comes to assessing your GDPR posture, remember that you needn’t look to implement measures that are too onerous to your firm. Remember, though, that the measures you take should be proportionate to the data risk that the PII data you hold presents.
Step Four: Documentation
Your firm needs to document its GDPR policies, contracts, and assessments to present to regulators when requested. These should be appropriate to your business, and they should reflect your GDPR posture as it is – not just how it should look in an ideal world. At a minimum you should be able to present upon request a privacy notice for data collection, a data protection policy, a record of data processing activities, and any contracts with external data processers.
Step Five: Implementation
Here’s where everything really starts to come together. You need to implement a data protection compliance programme that is appropriate for your firm and its data risk. Your staff will play a key role in this, and so one of the fundamental aspects of the implementation will be staff training. This should be carried out by qualified professionals, and will take two forms: general staff training, and tailored role-specific training for key departments such as HR and marketing. Although you may not have dealt with any yet, make sure that your data subject access request procedures are documented and tested, too.
Step Six: Auditing
Finally we reach step six: auditing. Regular testing and auditing is essential to ensuring your firm meets its GDPR compliance requirements. Internal and external auditing are equally as important, and should regulators target your firm, regular auditing will put you in a stronger position to meet their expectations.
GDPR Compliance Advisory Services
At MMRIT we have made a significant organisational investment in staff members who have an understanding of GDPR requirements. Through our GDPR compliance advisory services, we offer firms access to the independent experience they need to implement operational best practices whilst removing conflicts of interest that can arise with internal individuals and teams. Contact us to find out more.