There are some tough decisions ahead when it comes to (General Data Protection Regulation) GDPR. By now you should be aware of where your compliance gaps are and will be considering how to tackle them.
In this post we will be having a look at what you need to stop, do less of, improve, outsource, accept and the planning.
What you need to stop
One thing is clear when it comes to GDPR preparation, all non-compliant activities should be stopped. Its worth considering the value of the data you have and its cost to compliance and whether it is worth while putting something in place for the processing of it. Only you will know where your biggest compliance challenges are so an investigation is important.
What you need to do less of
Data minimisation is good practice when it comes to data protection. Only collect the data you need, only do the processing you need and only keep the data you need. Also it is important to have a map of how data moves around your organisation and consider when you are sending data – is it more than you need to send, could you redact any of the details, or aggregate it before sending it.
If you feel that what you are doing is necessary but not compliant then you’ll have to improve your data protection. This could involve you improving notifications to the data subject, better consent acquisition, putting in place data sharing agreements and information about who controls the data. Most organisations will find themselves writing policies and procedures and providing staff training in these areas.
Another thing to consider is implementing stronger cyber-security protection to reduce the risk of data breaches. This is a very important element and it is worth considering outside help.
If you’ve had a look at what needs to be done to be GDPR compliant and you’re unsure whether you can achieve this then you’ll need to outsource some of the problem. If you choose to outsource some of the activities then you should make sure to choose a supplier that will take full responsibility for delivering compliance and have suitable governance built into the contract.
You may find some of what you are already doing is good enough, perfection doesn’t exist so work on doing things in order of priority. Remember the regulator wants to see that you’re trying to be compliant so document all your plans, decisions, priorities and planning.
By now you should’ve worked out what you’re going to do and should be considering who’s going to do it, when it’s going to be done, if there are any costs and how it is going to be paid for. All board members, lawyers, advisors, IT liaisons and decision makers should be kept informed at all stages.