GDPR Best Practices
Best Practices for an Initial GDPR Compliance Program
For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements.
The General Data Protection Regulation applies to EU entities and non-EU entities marketing goods and services to EU citizens. Thus even non-EU entities should be preparing to comply with GDPR. By complying with GDPR requirements, businesses will benefit from avoiding costly penalties while improving customer data protection and trust. Secondly, it is predicted that the GDPR will be the forerunner of many more such data protection laws, many of which will reach across borders. US companies would be wise to adjust their data protection programs and adapt to the new paradigm NOW.
Step One > Classifying and Tracking the GDPR Data
Find and classify the GDPR data, i.e, the personal data of employees, customers, business partners, either identified or identifiable whether directly or indirectly. Next, map the data as it flows internally so you know where it is. Then, run a GAP analysis to see if and where any data was missed. You know where all the data goes so you can sequester it rapidly if ordered. When you are trying to determine priorities with this project and others, think about what would happen if you had to stop data processing due to an GDPR Order.
Know where the GDPR sensitive data is located in each type of communication, product or process, then you can identify the risk profile of the data, and protect it.
Article 4(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Article 9.1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Step Two > Budget
The company must assess the costs of implementing a GDPR compliance program, including the professional services of GDPR knowledgeable professionals, personnel, products and services to maintain compliance once in place.
Step Three > Security Controls
As part of the compliance program, set up security controls, update existing processes and software, review privacy notices and communications to customers. Fills gaps as they are identified. Implement mitigation strategies. Review and update Privacy Notices and communications with the GDPR standards. May have to build new internal processes for data portability requests, right to erasure and right to be forgotten requests.
Step Four > Test the Response Plan
An incident response plan should be part of the overall compliance program. Test the plan according to the GDPR guidelines, where must communicate within 72 hours to not just regulators, but also to those whose data was compromised. Must also perform due diligence on third parties for their privacy and security practices.
Step Five > Training
Training and awareness are part of mitigation demonstrating compliance. It must measure the effectiveness of your program regarding privacy, notices and communications.
Conclusion
Implementation of the GDPR compliance program is the first step. It is not a ‘set-it-and-forget-it’ program. Maintaining the high level of compliance will be a continuous endeavor. Those companies not directly affected would be wise to implement similar requirements in their own data security programs, as the GDPR will become the model for other jurisdictions.