GDPR: start from scratch with these primary steps
Following steps can be helpful identifying where you are in GDPR Compliance Journey. Consider that as a quick audit towards a more comprehensive gap analysis to understand your current situation:
- Role identification: Identify whether you are a a data controller, data processor, or both.
- Identify all data collection/processing systems and workflows, knowing where the data came from, every entity it has been shared with, and every location where it is stored.
- Conduct a full audit, which can be a labor intensive and time-consuming but it is inevitable: how you currently process customers private data e.g. financial information, marketing facts…
- Determine whether you need to appoint a Data Protection Officer and designate a contact that will cooperate with the GDPR supervisory body.
- Develop consent and disclosure forms covering all possible uses of data.
- Ensure you have policies to notify EU citizens of potential breaches when their data is affected.
- Revise Privacy policy and privacy practices to meet GDPR requirements.
- Awareness: make sure business associates and subcontractors are aware of their requirements under GDPR.
- Review policies on data retention. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
- Other initiatives: utilize your other regulatory initiatives or privacy and security programs.
- Consider utilizing Privacy Shield If data transfer across borders is required. You may need start participating in this program.
First challenge is to identify your definition under GDPR: data controller or data processor or perhaps both. This changes many things going forward because obligations are different and each have different set of requirements. As I mentioned multiple times, know your workflow to locate where data is residing within systems and processes. This is going to be the biggest audit of your organization. Even if you sign off of GDPR later for any reason, the values of this Journey affects your business in a positive way forever.