If you’re like more than half of companies surveyed by Gartner, your company won’t be ready for GDPR by the May 25, 2018 deadline, or even by end of next year. If that’s the case, you may be subject to fines of up to 20 million euros or 4% of your total worldwide revenue, whichever is greater. Part of the problem is that some of those who are charged with GDPR compliance are under the erroneous impression it doesn’t apply to them. However, just because you’re not based in the EU doesn’t mean you’re exempt. Moreover, good-faith efforts toward compliance may not be enough to avoid fines when the deadline hits. Fortunately, you still have time to prepare. Consider the following four steps to bring your company into compliance before the 2018 deadline so you can avoid potentially significant fees and stress.
Step One: Assess Your Readiness
If you’re like most companies, achieving GDPR compliance will not be as simple as installing a software patch or a system update. It will require an in-depth review of your systems and data flow. The first thing you’ll need to do is understand where you stand in relation to GDPR compliance. In practice, this means:
- Assessing current personal data, where it is located, who has access, and what the data is used for;
- Comparing that assessment to GDPR requirements; and
- Identifying gaps between where you are now and where you need to be on deadline day in order to achieve full compliance.
- Determine whether your company needs to hire a Data Protection Officer (DPO)
- Determine whether you need to perform a Data Protection Impact Assessment (DPIA)
When Primitive Logic conducts GDPR assessments, the result is a traceability matrix used throughout the process to attain compliance.
Step Two: Develop a Plan
Once you have conducted your gap analysis, you can devise a plan that will address those gaps and any related issues. This is essentially a list of programs and projects required to reach compliance, including a high-level scoping. The goal here is to establish a plan for high level changes impacting the specific technology systems that are needed to achieve your goals, and develop standards and processes for Data Governance.
Step Three: Build Organizational Consensus
Your efforts will affect many parts of your operation, and you’ll want to communicate with those affected. You’ll need to coordinate with your legal department, compliance officers, your business lines, and your company’s internal operations, such as the HR and technology divisions. With the vast majority of data being captured and processed in digital forms, appropriate technological responses will be critical. You’re on a deadline that can’t be shelved if someone isn’t in the loop, so you’ll need to create and execute a comprehensive communication plan to support for all GDPR programs and projects.
Step Four: Implement Programs
Now that you’ve laid the groundwork, you can execute your programs and projects for operational compliance.
You’ll need a regimented approach to ensure you’re completely covered. You may need a dedicated Data Protection Officer, and will need a team who can work together to fully address your company’s GDPR compliance. That group should include more than just your legal and compliance teams, because effective GDPR compliance requires delving deep into your technical architecture to identify and map your data processing and data sharing flows, all while ensuring that individual rights can be managed for system-wide compliance.
Even if you’re fully compliant by next year’s deadline, you’ll want to make sure that your systems and processes allow for continued compliance in the future. GDPR will apply to any new systems that are implemented or purchased, along with upgrades/enhancements to existing systems, and any additional data integrations. Additionally, GDPR requires technological compliance “with due regard for the state of the art”, meaning that your technical architecture and systems will need to evolve with future technological advances.
GDPR compliance is a complex task with many steps and specific actions. Fortunately, Primitive Logic has extensive expertise in the areas of data governance, data architecture, integration and data security. We’ve worked with organizations of all sizes, from SMBs to Fortune Global 100 companies. GDPR compliance requires a lot of work and the deadline is fast approaching. So leverage our expertise and if you are unsure about any of the steps ahead, let us know.
Follow Jill Reber on Twitter at @PrimitiveCEO.