D-Day is well and truly upon us and many organisations are set to be unprepared on the European Union’s General Data Protection Regulation (GDPR) activation date of 25th May 2018.
As you are probably fully aware of at this point, GDPR has presented challenges for organisations in virtually every industry to comply with what is seen to be strict privacy compliance requirements by the 25th May 2018.
Although GDPR applies in Europe, it impacts any organisation anywhere in the world where EU residents data is being handled. We are sure you know this by now as we have stressed it many time, but fines are up to €20m or 4% of global annual turnover, whichever is higher.
GDPR is an enormous legislation with a number of stipulations and there is a 200+ page document with 99 articles and recitals to know, understand and apply. Here is a link to the key things you need to know https://www.eugdpr.org/the-regulation.html.
Most companies will need to bring together expert guidance, employee training and technology to ensure GDPR compliance before and after the 25th May 2018.
For those whose preparation is lagging, there are 3 critical steps we would advice you take to dramatically improve your GDPR readiness before the deadline, these are:
1. Figure out whether you are a data controller or data processor
As far as GDPR is concerned, every business falls into one of two categories, either a data controller or data processor. Determining which one you are is key in understanding which GDPR articles you are required to comply with and the different obligations that apply.
2. Identify high-risk data processing activities
For the first time in history, businesses will have to demonstrate that within all the data they hold they are able to identify the high-risk data that resides within their database. Businesses would do well to deploy some sort of data mapping solution to assist with determining the type of data being collected throughout the organisation, where it originates, where is it being collected, whom is it shared with, how sensitive it is and whether it should be deleted or stored.
3. Obtaining and managing user consent
GDPR requires user consent to be given freely, specific, informed and unambiguous. Companies must demonstrate consumer opt-in and consent, therefore deploying a process that determines the purpose of personal data processing makes it possible to withdraw consent upon a users request. This will drastically simplify processes.