GDPR compliance is like planting tulips
Planting tulips requires advanced planning. For tulips to bloom in the spring, you plant bulbs in the fall. You plan ahead for the payoff later in March, April, or May.
The annual tulip promise is a lot like where we are now with GDPR compliance. The regulation goes into effect on May 25, 2018. What you plant this fall in terms of compliance efforts will determine what appears in late May related to GDPR compliance.
For the uninitiated, like 75 percent of non-IT executives based in the US, GDPR stands for General Data Protection Regulation. According to the regulation’s site, GDPR “applies to all companies processing and holding the personal data of subjects residing in the European Union (EU), regardless of the company’s location.”
That has many companies in countries around the world concerned about GDPR. If your company collects and/or processes data of EU citizens, you’ll need to comply with GDPR. The penalty for non-compliance is severe–up to 20 million Euros or four percent of your company’s annual global revenue, whichever is greater.
But let’s not focus on fear mongering. Let’s roll up our sleeves and dig for simple steps that will lead to compliance. If you’re not in full compliance when May 25 comes around, be the organization that can show progress and intent to comply. Here are a handful of ideas to consider and why.
Champion a committee
GDPR requires that you appoint a Data Protection Officer (DPO). Once you do this, go one better. Form a cross-functional team consisting of human resources, IT, legal, marketing, and any department that touches privacy data. This committee is tasked with auditing and documenting data associated with individual privacy.
As Tudor Borlea, a GDPR specialist based in London, put it. “Regulators will want to see if the company can demonstrate accountability.” Having a committee headed by a DPO with a mission to protect data privacy goes a long way toward proving accountability.
Perform a gap analysis
Get started by analyzing how your company currently manages privacy data. Try to answer these questions. What data do you have? Who is the owner and caretaker of the data? Where is the data located? Why do you have the data? How are you using the data?
By knowing all the ways you collect, store, and distribute people’s privacy information, you can benchmark it against what GDPR requires. The resulting gap is the area your committee needs to address. A GDPR Checklist can organize the steps to compliance.
Revisit incident response
GDPR has a 72-hour breach notification rule. Can your company log a data privacy incident, record incident detail, and report the breach all within 72 hours? Revisit past incidents and current processes to determine a reasonable notification timetable for your company. The gap between 72 hours and your reasonable timetable is what your committee needs to work on.
Review your policies and procedures that relate to data privacy. Update or create new ones that streamline the incident response process. Link policies to procedures and controls in order to prove GDPR compliance. Having the committee study and make recommendations on incident response is essential to making changes to meet the 72-hour rule.
Invest in technology
Having the right technology makes GDPR compliance more process-oriented and easier. A platform designed to perform integrated risk management empowers users to meet the GDPR requirements related to policy/compliance, risk management, IT risk management, incident response, audit, reporting, assessments, and third parties.
The platform allows your cross-functional team to communicate and use workflow to manage a multitude of activities like gap analysis and the incident response process. It’s like having this time-saving device, the Bulb Bopper, for planting tulip bulbs. Technology and tools make commitments easier to manage, so you can get the work done.
That’s four ideas to get you started on GDPR compliance. Champion a cross-functional team led by a newly appointed data privacy officer. Perform a gap analysis of where you are now and what GDPR requires. Revisit your incident response process with an eye on speeding things up. And invest in a technology platform designed to manage regulatory requirements like GDPR.
Bottom line: focus on what you can do this fall to show your intention to comply with GDPR. Don’t be an outlier for non-compliance. If you need inspiration, plant a few tulip bulbs. Tulips or GDPR, the payoff for what you do this fall comes next spring.
Read about the GAO’s report on CRA oversight
Read about GDPR’s impact in its first year of regulation.
Learn how to prepare for the California Consumer Privacy Act (CCPA).