9 steps towards GDPR compliance

The General Data Protection Regulation (GDPR) came into effect on 25th of May. We now live in the GDPR era where compliance needs to be as natural a part of your business as water is to fish. This doesn’t mean that transition is easy. Compliance is a long and close to never-ending journey. We recommend that you divide the effort into smaller, doable steps and conquer them one by one.

We wanted to collect some of the insights that we got when scouring through numerous reports on how to prepare and handle GDPR. So, we have compiled a list of 9 steps that you should tick off in your business. At the end of the article, we have provided all links to the reports.   

Reality is that no one will become 100% compliant. But you still need to do something.

1) Locate and map the personal data in your company

Start to understand where personal data exists in your company? Hint: It’s everywhere. The top-four sinners are e-mails, file storages, Enterprise Content Management Systems (ECM) and cloud apps.

Locating and mapping all personal data is a daunting task, so get the help you can. Make use of tools out there. And yes, we can help you with part of that automatically, but read the article before deciding what to do.??

2) Create awareness

You need your employees on board to get anywhere. They need to know what GDPR is, its implications and how to deal with it? We’ve seen examples of companies gamifying the learning process as a means not to bore employees to death. It pays off to think outside the box here. And a common answer to GDPR has been: “Oh – that GDPR thing doesn’t concern us …” – well, that’s a dangerous thought – mostly because is it most likely wrong.  

3) Categorize the data you have – and start with the top

In essence categorizing data is about giving yourself a structured overview of the type of personal data that your company has and where it comes from. A good way to categorize data is to categorize it by level of sensitivity. This will also help you when creating and mapping data flows.

4) The individual’s extended rights

The GDPR extends the rights of persons to be well-informed about – and protect - their personal data (not all are new but no one paid attention to them before). This means that you as a company need to address these extended rights. This includes informing them about why you are collecting their data and on what legal basis. In this respect, persons have the right to request their data to be handed-over, updated or even deleted, including:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object, and
• the right not to be subject to automated decision-making

5) Be aware of the access request

It’s actually not new a thing that persons may exercise a right to see what personal data your company have on them. The new thing is that you have one month to deliver the data – and yes, that’s ALL data. And now persons know. Should you choose to refuse the request, you must tell the person on what basis and that they have the right to complain to the supervisory authority and a judicial body. And yes, that’s a very limited possibility to refuse a request. Gone are the days where you could charge persons to deliver their data. Gone are the days where you had 40 days to meet a request.

As a result, you need to be prepared when the requests roll in. FYI – In UK alone, 11 million requests have been made already. That corresponds to 1/6 of the population each making a request.

6) Update the consent you receive

Review how you seek, record and manage consents as the rules have now changed and you need to assess whether the consents you have are still valid in under GDPR? Or if you have a consent at all?

The consents need to be specific, clear, properly documented and easy to withdraw (i.e. don’t hide consents in a footer to a document otherwise promising free ice cream). Note that there are stricter requirements for the collection of “sensitive” personal data (e.g. data about sexual, political beliefs etc.). Such consents require a clear and express action from the person. 

7) Create procedures for data breaches

Data breaches come in many shapes and sizes. Whether it be an employee losing their phone or MyFitnessPal getting hacked and data from 150 million users data are stolen. The scope of breaches is broad, to say the least. Not surprisingly, actions need to be aligned which is why it is important that you have procedures in place for breaches in all shapes and sizes. If there is a risk that the breach would result in a risk to the rights and freedoms of natural persons (i.e. when Facebook shared users personal data with Cambridge Analytica), such breach must be reported to the relevant supervisory authority within 72 hours. Other breaches need to be reported to the individual. In some cases, you don’t have to inform anyone outside your company – but it needs to be recorded in a data breach log.

8) Document your efforts

To be compliant, you need to document the steps taken towards compliance. First, you need to get your policies and procedures in place. Loads of templates are available online. Search through them and get inspiration. Find something that fits your business – thankfully, there is a difference in being the local shop and global conglomerate.

In addition to your policies and procedures, you need to show that you have actually done “something” to minimize the handling of personal data, remedy existing risks and educate employees.

9) Designate a data responsible

You need to designate a person to take care of the data protection and compliance at your company There can’t be any doubt about your go-to-guy or girl. Be aware that your company may need to designate a “Data Protection Officer” (a DPO) if you are:

• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out regular and systematic monitoring of individuals on a large scale; or
• an organisation that carries out large scale processing of special categories of data, such as health records or information about criminal convictions.

In any case, you need to assign an employee to be responsible for your compliance and data protection efforts.

Whether you have scrolled down from the top to read the golden conclusion – or you have fought your way down the blogpost – one thing is certain: These nine steps to GDPR compliance can knock the wind out of you if you don’t do it right. Ideally, you would follow the steps chronologically but when have theory and reality matched perfectly? There’s no one guide to rule them all. In the end it all depends on your company’s capabilities. Start with whatever step is easiest to you and get your feet wet. And most important. Don’t try to run before you can walk. GDPR compliance does take time and you may even consider to use some of the clever software solutions out there (cough cough, including Archii GDPR).

Reports:

1.  Preparing for the General Data Protection Regulation – 12 steps to take now, ICO – Information Commissioner’s office
2. Learning to love GDPR, Box.
3. Planning for the General Data Protection Regulation, IBM Analytics
4. Deloitte GDPR Benchmarking Survey
5. Understanding GDPR Readiness 2017, Association for Intelligent Information Management

Get in touch to get the exhaustive list here.