You may have heard cybersecurity experts, lawyers, business leaders and many others talk about the General Data Protection Regulation (GDPR): about what it is, which organizations need to comply with it, its fines and penalties and so on.
But what’s not always talked about is – how to actually achieve compliance with GDPR.
- Am I collecting personal information from EU customers?
- What does my organization need to do?
- Do I have the right data privacy or cybersecurity measures in place already?
- How long does it take to successfully achieve compliance?
- How much time do my teams need to devote to achieving compliance?
- Is my privacy officer ready to handle this?
If your organization does business in the EU, even without a physical presence there, these questions are very important for you and you should get the questions above answered. If your clientele includes EU customers, you will need to demonstrate how to comply with GDPR to protect their privacy.
Every organization has different needs and is at a different growth stage. In this blog, we will provide guidance on how to find the answers to the above questions and provide an overview of the steps and processes to help you get the work done to achieve GDPR compliance.
Before we start, let’s go through a quick and simple explanation of GDPR. GDPR is Europe’s data privacy and security law that aims to give every EU citizen the right to know and decide how an organization processes their personal data: that is, an enterprise must be able to demonstrate how they use, store, protect, transfer and delete customer personal data.
GDPR also prohibits the amount of personal data that can be transferred outside the EU. Any transfer of personal data – which may include use of service providers outside Europe – that is not in compliance may be subject to regulatory fines.
Regulatory fines for violating GDPR requirements can run as high as €20,000,000, or up to 4% of your annual global revenue, whichever is greater.
What steps should my organization take to prepare for GDPR?
1. Assess existing privacy measures.
Your organization may already have parts of the GDPR requirements fulfilled without you realizing it. If you conduct a privacy gap assessment and assess your current privacy measures against the GDPR requirements, you can have a better and clearer understanding of what’s missing and which requirements have you already fulfilled. A privacy gap assessment can be conducted with a third-party cybersecurity firm or an in-house privacy expert.
2. Strategize and develop a compliance roadmap.
With a thorough understanding of where your organization stands in the compliance journey, you can start mapping out the best approach to take depending on your timeline, budget, limitations and more.
3. Execute the roadmap with purpose.
Now that you have a plan, timeline and actionable items, you are ready to start working on meeting the requirements of GDPR one by one. We have a high-level checklist here for you to give you an idea of the list of due diligence documents that GDPR generally requires to demonstrate compliance:
- Privacy Policy (Internal & External)
- Notice at Collection
- Listing of Personal Data Processed
- Location of Personal Data (in transit and in storage)
- Disclosure of Personal Data (to vendors)
- Business Continuity Plan
- Data Recovery Plan
- Pseudonymisation / Anonymization of Personal Data
- Testing / Security Overview
- Privacy Breach Handling Protocol
- Privacy Impact Assessment(s)
- Incident Response / Handling Protocol
- Third-party Service Agreement Contract(s)
- Assessment of Third-party Country Laws for Data Transfer
- Data Loss Prevention Mechanisms
- Policy Suite (All Policies)
- Access to Information Request Standard Operating Procedure (SOP)
- Erasure of Personal Data SOP
- Restriction / Objection to Processing SOP
- Data Portability SOP
- Training Materials
- Technical & Operational Measures to Safeguard Data (TOMs)
If you work with a third-party cybersecurity firm, like Kobalt.io, we would assign a cybersecurity account lead and a privacy subject matter expert to guide you through the details of how to curate and create the information needed for these documents. With professional guidance and instructions, you can save time exploring the steps yourself. Generally, this step can last up to 12 months.
4. Monitor and sustainment
You have achieved compliance and your privacy program is in place. You can start using your compliance as a sales driver to earn clients’ trust and build credibility within your industry. Conduct regular assessments to make sure that your organization complies with GDPR at all times and privacy controls are well enforced.
