GDPR: Primary Actions

GDPR: start from scratch with these primary steps

Following steps can be helpful identifying where you are in GDPR Compliance Journey. Consider that as a quick audit towards a more comprehensive gap analysis to understand your current situation:

  • Role identification: Identify whether you are a a data controller, data processor, or both.
  • Identify all data collection/processing systems and workflows, knowing where the data came from, every entity it has been shared with, and every location where it is stored.
  • Conduct a full audit, which can be a labor intensive and time-consuming but it is inevitable: how you currently process customers private data e.g. financial information, marketing facts…
  • Determine whether you need to appoint a Data Protection Officer and designate a contact that will cooperate with the GDPR supervisory body.
  • Develop consent and disclosure forms covering all possible uses of data.
  • Ensure you have policies to notify EU citizens of potential breaches when their data is affected.
  • Revise Privacy policy and privacy practices to meet GDPR requirements.
  • Awareness: make sure business associates and subcontractors are aware of their requirements under GDPR.
  • Review policies on data retention. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
  • Other initiatives: utilize your other regulatory initiatives or privacy and security programs.
  • Consider utilizing Privacy Shield If data transfer across borders is required. You may need start participating in this program.

First challenge is to identify your definition under GDPR: data controller or data processor or perhaps both. This changes many things going forward because obligations are different and each have different set of requirements. As I mentioned multiple times, know your workflow to locate where data is residing within systems and processes. This is going to be the biggest audit of your organization. Even if you sign off of GDPR later for any reason, the values of this Journey affects your business in a positive way forever.

Published
Categorized as GDPR
Kaveh Mofidi

By Kaveh Mofidi

I find simple solutions for complex problems. While I enjoy working with information security and computers, our challenges extend far beyond securing data. The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on Earth!

Leave a comment