The implementation of the General Data Protection Regulation (GDPR) means stricter data protection rules for companies that sell or market services or products in the EU and heftier fines for organisations that do not comply with the new legislation. Here are five tips for preparing your organisation for the GDPR.
- Make Sure Key Staff Members Understand the Importance of Compliance
Your senior staff and trustee board should be trained and knowledgeable in GDPR compliance. If your company qualifies as a data controller or data processor under the GDPR, you’ll need to show proof of staff training and monitoring. Even if your company is not required to provide such documentation, your organization’s key employees and decision-makers should be made aware of the financial and reputational damage that could be caused by a data breach.
- Review Your Data Handling Process
The GDPR requires organizations to be more accountable for how personal data is collected and used. Since the definition of personal data has been expanded to include “online identifiers” like hyperlinks, cookies, and advertising IDs, it’s important to review your company’s current data handling process and ensure such personal data is stored and used in compliance with GDPR legislation. Identify what kind of data you hold and where it came from. You should also take note of any data you share with other organizations.
- Know How You’ll Deal with a Data Breach
Make sure your company has procedures in place for detecting, reporting, and investigating personal data breaches. In some cases, the data breach will need to be reported to both the data protection authorities as well as the individuals involved in the breach. Regardless of whether or not the data protection authorities are notified of the breach, you’ll need to keep records of any security situations that have resulted in the loss, damage, alteration, or disclosure of personal information.
- Appoint a Data Protection Officer
If your organization monitors or processes a significant amount of personal data, the GDPR requires you to appoint a data protection officer (DPO). This individual will oversee the data handling process and ensure compliance with data protection legislation. A DPO can be an existing employee or an externally hired individual. Before appointing or hiring a DPO, consult with the leaders within your company about the types and amount of personal data that is being processed. If it’s decided that appointing a DPO isn’t necessary, it’s still a good idea to keep a documented record of the meeting to support your decision.
- Implement ISO 27001 on Your Organization’s Information Security Management System
ISO 27001 is an international standard that sets out policies and procedures for managing a company’s information assets. Since the goal of the GDPR is to protect consumers’ personal data, implementing ISO 27001 on your organization’s information security management system (ISMS) can help ensure compliance with the new regulations. Adopting ISO 27001 will also encourage ongoing awareness of risk.
If your organization handles or processes the personal data of EU-based individuals, you must prepare for the GDPR – even if your company is headquartered outside of the EU member states. The above steps will help you review your current processes and ensure they are compliant with the new data protection legislation.