GDPR may be a challenge, but understanding the regulations and adopting them early empowers organizations to meet the compliance deadline – minus the anxiety. GDPR also creates new opportunities for organizations to expand their business horizons. To help organizations execute and accelerate their GDPR compliance strategy, I propose a straightforward 7-step plan which focuses on practical and conceptual ideas.
An organization’s GDPR compliance journey begins with gaining an in-depth awareness and building in-house expertise on all aspects of GDPR. Apart from helping organizations win the compliance battle, awareness helps organizations create new business opportunities. Building GDPR awareness in not a one-time task, but rather, a continuous process that involves the understanding and contribution of all employees.
2.Is your business affected?
Organizations need to ascertain the impact of the regulation on their business operations, depending on the nature of the business. GDPR compliance is mandatory for organizations that process data categorized as personal data from individuals living in the EU, even if this is done indirectly – for example, using a cloud storage system established and hosted outside the EU. (Refer to step number 6 for more details on organizations that are not established in the EU, but process personal data of individuals living in the EU).
Engaging with law firms that offer GDPR consultancy is a time-effective approach during these initial stages.
3.Review the impact on existing data
The next step is to thoroughly evaluate if all data collection methods used the necessary consent and furthermore, if the organization is able to demonstrate proof of consent. This step can be further divided into analyzing and identifying all sources of existing data, determining if there are legitimate grounds for the processing of existing data, and applying privacy principles for the existing data.
4.Review systems and processes
In addition to reviewing data collection, organizations must also review data storage and access mechanisms, and specifically decide if a data processing impact assessment (DPIA) must be carried out. Seeking a professional expert’s opinion is highly encouraged for this process.
5.Implement necessary safeguards
Following the completion of the previous step, organizations must implement the required safeguards – which include adjusting business processes, upgrading software/storage systems, training for staff members, and introducing auditing systems.
6.Appoint EU representative and/or Data Protection Officer (DPO) – if applicable
If an organization is not established in the EU, but offers goods and services to the EU, a representative known as the DPO needs to be appointed to address GDPR related matters. The DPO’s responsibilities include advising staff members on data protection procedures, monitor compliance, act as the point of contact for supervisory authorities and liaise with them, provide advice on data protection impact assessments, and act as the point of contact for any data protection related matters.
7.Revise documents and policies
The final step in this process involves reviewing all documents and policies of the organisation such as websites, terms and conditions, privacy policies, and social channels. Furthermore, individuals and supervisory bodies must be able to access these materials as well. It is important for organisations to ensure that they can clearly demonstrate their GDPR compliance through publicly available documents such as privacy notices, terms and conditions, and user consent pages.
By Sagara Gunathunga, Director, WSO2
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.