With just over six months to go until the General Data Protection Regulation (GDPR) comes into force, organizations that handle the personal data of EU citizens are preparing for this new compliance regulation. If you’ve not gotten started yet, or your plans are still in their infancy, we’re creating a series of helpful blog posts to see you through to May 25th 2018. This infographic covers the month-by-month high level topics.
With holiday season fast approaching in many parts of the world, getting your plans off the ground now is vitally important, as January tends to come around all too quickly. Here are our recommendations for November:
Form a cross-functional team with representation from every major group in the organization
Although it’s a legal text, GDPR isn’t just for the legal team to worry about. It’s highly likely that every department in your organization does something with personal data. You need a senior-level representative from each area to be part of your GDPR task force. They’ll need to understand what GDPR is and how it affects their areas. Our Whiteboard Wednesday: GDPR Overview covers the regulation at a high level, and this guide from legal firm Bird & Bird provides an easily digestible walk through the regulation in more detail without needing a legal degree.
Seek legal counsel
If you do have your own in-house data protection legal specialists, then it’s likely you’re already way ahead in your planning. If you don’t have such a luxury within your organization, then it’s time to bring in a third party to assist. There are a plethora of law firms offering these types of services, so you shouldn’t have to look too hard.
Determine if you need to appoint a Data Protection Officer (DPO)
If your organization fits within one of these three categories, then you must designate a DPO:
- It is a public authority (except for courts acting in their judicial capacity)
- It carries out large-scale systematic monitoring of individuals (e.g., online behavior tracking)
- It carries out large-scale processing of special categories of data, or data relating to criminal convictions and offence
The role of the DPO is to inform and advise on data protection matters; to monitor compliance and cooperate with the supervisory authority; and to act as a point of contact for the supervisory authority. This is a very senior role, but does not have to be a full time employee. There are various options available for virtual DPOs, and your legal counsel will be able to advise as to whether or not you require one.
Map the journey of personal data into, through, and out of your ecosystem
Firstly, it’s important to understand what is meant by “personal data”, as we’re not just talking PII here. It’s essentially one or more pieces of data that can directly or indirectly identify a living person. This article explains things very well. Understanding the paths of personal data throughout your organization is the first step in applying the six principles of data processing (aka article 5 of GDPR). Web applications are a common entry point, as are people whose role it is to enter and update data, such as sales, marketing, customer services, technical support, etc. Look at where personal data is stored, how it gets there, and whether you use cloud-based and/or third-party applications. Now is the time, too, to start thinking about how to get a handle on unsanctioned services (aka shadow IT). If you can’t see where personal data is going, you have no means of discovering and securing that data.
Discover and categorize personal data
Once you’ve worked out where and how personal data arrives, travels, is stored and leaves, then you need to understand what you have, and why you have it. This is where your task force comes into its own – the people closest to the data are the ones who should be telling you what you have. There are various tools available to help you achieve this: OneTrust and Spirion are just a couple of examples.
Contact any third-party data processors to request details of their GDPR plans
Now is the time to reach out to any third-party providers who process personal data on your behalf. These could be financial services, cloud-based applications, storage providers, and more. As the owner of the data (the data controller in GDPR terminology), it is your responsibility to make sure you have the correct contractual agreements in place with data processors; otherwise, you could be held jointly responsible for any issues that arise under GDPR.
If you’re looking for further information or advice on how to proceed please do check out our GDPR toolkit. We also offer a GDPR Readiness Assessment that can help you understand the gaps in your current processes and technology, and will provide you with a strategic roadmap to GDPR compliance.
Watch the GDPR blog tag to keep up as we get closer to GDPR go-time.