With GDPR in force from May 2018; many organizations having any relation with EU have taken considerable steps for compliance to GDPR. However, many organizations might still be struggling to decipher the regulation and implement control measures in the organization.
Here is a guide to help the organizations to start their journey towards becoming GDPR compliant.
It is important that the higher management is fully aware of the GDPR timeline and integrates the GDPR timelines into their business planning. They should start to identify the areas that could cause compliance issues under the GDPR. Strengthen the risk management process in the organization, as implementing GDPR will have an impact on business processes and resources.
Conduct a data flow audit of all the information of customers and answer the following questions
The purpose of holding the data.
The source of data.
The initial motto of collecting data
The timeline of data retention
The security in terms of encryption and accessibility.
The data is shared with which third-party services.
It requires the organization to document and practice the ways in which they comply with data protection policies.
Communication to the Users and Staffs
Provision for Personal Privacy Rights
Ensure to cover all the individual rights of the users under GDPR. Rights for individuals under the GDPR include namely, Right to rectification, Right to erasure, Right to Object, Right to restrict the processing, Right to Data Portability.
Understand your Legal Basis
Understand the various data processing carried out in the organization, identify your legal bases for processing and document it. With user consent being relied upon as sole legal basis, documenting it would prevent any future risk arising due to user objection.
Data Protection Impact Assessments (DPIA)
DPIA is a systematic assessment of the potential impact of a project or initiative might have on data privacy of users. It will help the organization to identify potential privacy risks and become ready to mitigate them. GDPR makes DPIA mandatory for the organizations involved in high-risk data processing.
Data Breach Reporting
Make sure to have right procedures to detect, and investigate any instances of a personal data breach. Under GDPR, many organizations are required to notify the Data Protection Commissioner in case of any personal data breach. This reporting is to be done within 72 hours. For breaches that might be harmful to an individual, it is mandatory to report to the concerned individual. Assess the data you hold and identify documents for the notification in the event of a breach.
These have been just a few initial steps to be followed to become GDPR compliant. Going through the regulation document in full would enable much deeper understanding. VComply is a secured IT GRC platform helping organizations to become GDPR compliant with its cloud-based platform to improve accountability and transparency.
To read more on GDPR, click here.Add to favorites