1. Raise Awareness: Make it your responsibility to raise awareness internally within your peer groups, companies, and board-level associates.
Do not presume that everybody knows all about GDPR and is preparing accordingly. In fact, presume the opposite. Send them to my first article about GDPR basics as a starting point. If you would like advice from a SRC Secure Solutions security consultant, please get in touch.
2. Identify what data you retain: Document what personal data you store. Identify where it came from, the reasons why you store it, and create a yes/no checklist as to whether you really need to store it.
3. Clean your house: Declutter and get your house in order. By this I mean tidy up and remove any unused personal data that is no longer required for regulatory or historical reasons on all of your and your suppliers’ systems.
In this situation, less really is more. The less personal data you hold, the easier your task will be.
4. Create a GDPR responsibility framework: Create an organizational chart showing which role, or third party where applicable, is responsible for each element of GDPR.
Do you need to appoint a Data Processing Officer (DPO)? Identify the processors—those roles that process personal data. Who needs to be trained to understand their new obligations and responsibilities when processing data under GDPR? Do all employees know what they should be monitoring or doing in order to prevent a breach? Make sure you can answer these questions.
5. Update security data policies and procedures: One of the most important aspects of GDPR is that policies and procedures must be easily accessible and must also be easy to understand.
For example, an employee responsible for validating personal data when someone registers on your website must have access to any policies applicable to them performing their role effectively and within the GDPR regulation. The policies must be in plain English so that anybody can understand them.
6. Embrace GDPR and make it part of your working life: GDPR should be a normal part of your daily working life, just as getting up and going to the office.
Every aspect of your work that touches data should naturally be considered. For example, am I allowed access to this data? Why do I need it? Do I need to notify anybody I am processing it?
7. Prepare for a data breach: The fines for a data breach are huge—up to 20 million euros or four percent of your global turnover.
Ensure you have well defined policies to identify a data breach, remediate that breach, and notify all affected by the breach within the rigid timescales defined by GDPR, which is currently set at 72 hours. Ensure company insurance policies have been updated to reflect the new penalties.
8. Know the rights that people have and prepare to be challenged: You are responsible for demonstrating why you store or process data and ensuring its integrity.
Be prepared to be challenged and know what to do when you are challenged by one of the subjects’ rights, such as, right to access. This is where the data subject can request access to data and any supplemental data you hold or process relating to them. Be aware of all the rights pertaining to data processing.
9. Special requirements: Identify where special requirements and procedures may differ. For example, when processing data relating to children under the age of 16, you may require parental consent dependant on member state. For children aged 13 or under, parental consent is always required.
10. Talk to experts to be fully prepared: SRC Secure Solutions has expertise and solutions that enable you to minimize your risk by protecting systems, networks, and user access. Contact us to find out how you can identify security gaps on your system that put you at risk for compliance violations.
