The General Data Protection Regulation (GDPR) isn’t far away coming into force next May. The GDPR primarily seeks to provide unified and clear rules on stronger data protection and give individuals more control of their personal information processed by companies.
Organisations established outside the European Union but conducting business within it will also be subject to GDPR compliance.
If you are compliant with current law, then most of that should remain valid under GDPR. However, there are new elements which need to be considered by all organisations involved in processing personal data.
So what do you need to do to prepare for GDPR?
If you haven’t already started (surveys say that at least 50% of companies aren’t prepared) then here’s a few simple steps to get you on your way:
- Ensure management team and key employees are aware.
- Document the information you hold, where it came from and who you share it with.
- Review how you seek, record and manage consent
- Check procedures to ensure they cover individual’s rights, including how you would handle requests and delete personal data.
- Ensure procedures are in place to detect, report and investigate a data breach
- Do you need a DPO (Data Protection Officer)? If you do, assign one.
See more on the ICO website (UK’s Information Commissioner’s Office). If you are based in the UK, the ICO site also has a nice little survey to kick start you: Getting ready for the GDPR. The Irish Data Protection Commissioner also has a checklist and Ibec has prepared some excellent guides to get you started.
Fines for non-compliance can be up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher.
See also a previous blog post “GDPR and you” for further information helping you to prepare for GDPR.
More information: Trilogy’s 1 November post provides guidance on how Netwrix Auditor helps you prepare for GDPR.