The EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018. To avoid reputational damage and potential fines of tens of millions of Euros, companies must move quickly to understand the legislation and put appropriate measures in place. Northdoor proposes six steps to get you quickly on the path to compliance.
Under GDPR, any information that could identify a person must be protected against exposure. The key challenge is to work out what data you hold and in which systems – both paper-based and electronic. At Northdoor, we call this stage “Find IT”. In later stages, you will want to define and manage different kinds of data – “Classify IT” – and you will also need to make sure you have the right compliance structures around people, processes and technology: “Comply to IT”.
In a networked world, you must also think about data you share with partners. The first stage is simply to start the conversation with the business people who own the data and start to work out exactly what you have.
Once you have established what personal data you hold and taken the first steps to protect it through encryption, you should move on to understand the rights that individuals have over their data under GDPR. You will need to have measures in place for responding to requests to access, amend, transfer or delete data, and you will need to understand the legal deadlines.
This is also a good point at which to consider how you seek, obtain and record consent from individuals to hold their data. You should also consider how you will comply with requests from individuals to access their data, and you should identify and document the legal basis for processing personal data.
Under GDPR, notifying the authorities about data breaches will be a universal requirement, so you need to make sure that you have the right procedures in place to detect, investigate and report on personal data breaches. The average UK organisation suffers 3.9 breaches per year, and only 45 percent of those incidents are actually recognised.
In the past, a “privacy by design” approach to personal data was always considered best practice. Under GDPR, it will become an explicit legal requirement, and as a result you will need to verify that such an approach is embodied in your standard practices.
To find out how Northdoor can help you achieve GDPR compliance faster and more effectively, download our whitepaper by completing the form or contact us for an informal assessment. In addition to experience and practical advice, Northdoor offers software tools that enable you to iteratively discover, analyse, classify and encrypt data. We’ll review your existing approaches to data protection and security, and provide a clear checklist of recommended next actions, helping you get started quickly.