General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response
Procrastinators' Guide to GDPR Compliance
Organizations Are Not as Ready as They Might BelieveIf you're paying attention, you've probably already seen a handful of General Data Protection Regulation headlines just today, let alone in the last week or month. But there are two good reasons for the deluge of GDPR discussion right now: It's incredibly important and the time to act is now.
If you're one of those ninth inning, hit it out of the park types, you're up. The European Union has imposed a May 25 GDPR enforcement deadline for any organization, regardless of location, that does business with any of the EU's approximately 500 million residents. And noncompliance could cost you the ball game with a price tag of up to 4 percent of your annual global revenue or €20 million, whichever is higher.
In a recent survey of Fortune 500 firms, 98 percent reported being on track with GDPR compliance efforts. Unfortunately, though, the survey then went on to show far too many "no's" to specific "have you done" questions. Organizations just aren't as ready as they think they are, and odds are good your organziation could be better prepared. If you've procrastinated on this process - and just about everyone has, as studies show - start now by taking a hard look at these three foundational areas.
- Build your team: GDPR requires the appointment of a data privacy officer. This could be a new position or you could add/change duties for someone already on staff. This position could be a full-time employee or an external consultant. Regardless of the approach you take, someone with compliance expertise is needed to inform your organization of its GDPR obligations, monitor compliance and serve as the liaison with the supervising authority. You'll need a DPO at a minimum. But even better is the appointment of a cross-functional team that can educate others in the organization while planning for and responding to data privacy issues across the organization.
- Map your data: Identify the data sets in your organization's control (for both customers and employees) and the legal basis for processing personal data. Also, if you have more than 250 employees, maintain documentation of all processing activities, including: controller and processor contact information; purposes for processing; categories of subjects and personal data; recipients of data disclosures, including country or international organization; and your in-use security measures. Records of this information will need to be available if the regulating authority wants to perform an audit.
- Write an incident response plan: In the event a security incident does occur, GDPR requires disclosure to supervisory authorities and applicable users within 72 hours. So that you may issue notifications within that time period, develop an IR plan that clearly defines what constitutes a breach, the rules that apply, and the assets you have in play to investigate and respond. Remember, you can avoid notification requirements if you can render the personal data unintelligible or inaccessible.
Meeting GDPR compliance requirements is a complex process whereby many more details must be addressed. Learn more tips from Absolute's webinar GDPR Compliance Masterclass where you'll gain valuable insight from a panel of experts. As we enter the home stretch for this regulation, it's definitely better to be late to the game than to never get started.
GDPR Compliance MasterClass
Prepare for GDPR compliance with tips from industry experts!
Watch webinar now