1. Find helpful resources that will help you solve GDPR-related issues. The marketplace is now saturated with tools being relabeled as “GDPR solutions”, such as firewalls and antivirus software. While many of those tools may serve an important purpose, they will only be useful if you have a vision of how the tool can help your organisation to manage privacy and data risk.
GDPR compliance is a complex undertaking that will impact every department, including legal, compliance, privacy, finance, and others. Therefore, organisations may need to integrate multiple technology solutions, as well as update internal processes and procedures, to comply.
“Be forewarned, the marketplace is now very stretched, so identification of experienced consultants who know how to help your organization implement the correct technologies and controls is challenging. Because of this, it’s very likely many organizations will still be putting controls in place after the 25 May deadline in 2018. Still others will not take the criticality of these controls seriously until the first major fines hit a few unfortunate companies.”
To avoid this, do everything in your power to find someone either internally or externally who understands the GDPR, has a proven track record of implementing solutions, and can articulate a clear vision for your organization to meet the implementation deadline.
2. Create an in-depth plan for third-party risk.The GDPR signals a fundamental shift in terms of an organisation’s obligation to proactively demonstrate compliance: Now, organisations are essentially responsible for what their vendors do with the organisation’s customer data. If your organisation chooses to share customer data with any other organisation, you must know with certainty that organisation can be trusted. The legal and financial ramifications can be enormous if you do not.
If you have yet to audit your current vendors, now is the time to do so. You may need to revisit your contractual obligations to put data processing agreements or model clauses in place, and put in place a plan to regularly evaluate your third-party vendors.
3. Establish focus areas for your GDPR program.“The GDPR is clearly complex—so the best way to get after it is to break it down into components”. For example, information security is one area you’ll need to focus on, and you’ll need to create a clear statement of security standards and the risk associated with the volume and sensitivity of the data you’re handling. This statement must cover your own organisation but also must be clear on what you demand of your third and fourth parties.
4. Start by addressing the straightforward components.According to a June 2017 poll, 37% of respondents listed their top concern with the GDPR as a lack of clarity regarding the steps necessary for GDPR compliance.
However, picking out the nuances regarding a topic that may not be clear in the GDPR articles—like individuals’ abilities to exercise their data portability rights—may not be the best place to spend your time and energy. Instead, begin your compliance program by focusing on the pieces of work you can start today to ensure your organisation—and your vendors—are compliant before the deadline.
5. Ensure you have appropriate security controls in place for your data.The only way to prevent a bank from being robbed is to close it off, boarding up the doors and windows. Similarly, the only surefire way to prevent the loss of data is to not use it or share it. But of course, that’s not practical. There will always be unforeseen circumstances that lead to breaches. The best thing you can do is leverage a defense in depth approach, giving your network — and the networks of your third parties — layers of security that proactively mitigate the risk of data loss.
6. Use quality metrics to support your decisions and demonstrate your progress.One of the key things your organisation should endeavor to do early in the compliance process is create and institute metrics around the uses of your data in the control environment you’ve established. The more you can automate and systematize the gathering of these metrics, the better. That way, you can return to the same metrics to evaluate progress.