5 steps to get ready for GDPR

March 8, 2018
This 90-day plan can help your organization prepare for the EU's tough new data privacy laws

The General Data Protection Regulation (GDPR) is set to go into effect on May 25, 2018. Time is running short to get prepared. If you’re one of the many companies that are just now realizing that you fall under the purview of the new laws, do not fret. While GDPR is a tall order, this 90-day plan will give you enough time to prepare.

What GDPR Means for Your Business

GDPR offers unparalleled protections to European Union citizens when it comes to storing, transferring and processing data. Whether EU citizens are your users, customers or otherwise, the GDPR’s applications are broad. Now is the time to take action and make compliance a top priority in your company. Non-compliance has huge implications, including fines of up to four percent of annual global turnover or €20 million (whichever is greater).

 In order to meet basic compliance standards, you will need tight collaborative practices between your business leaders, compliance team and managers spearheading the GDPR implications, and there is little time to spare.

 Here are five steps you can implement over the next 90 days to be ready for the onset of GDPR:

Days 1-15: Audit, Audit, Audit

At the core of GDPR protections lies a primary category of data—the personal data of EU citizens. As such, your first task is to audit your systems as a whole to inventory personal data by assigning a GDPR project manager in each department of your organization to ask a series of detailed questions about the information your company possesses.

Start out more general by asking what personal data do you store? From there, perform a detailed audit on your liability—is any of this personal data of EU residents? In what format does this data reside, who has access and where is it stored? Do you share or process it with external partners or vendors, and if so, are they GDPR compliant? Do you need a DPO? Everything that touches the personal data of an EU citizen needs to be brought under the microscope.

Common Mistakes to Avoid in this Window:

  • Not inventorying all data, including partner and vendor data to ensure all data has consent and that you have the right processes available to ensure GDPR compliance.
  • Not having a GDPR champion inside your organization to drive the required changes.

Days 16-30: Planning For Compliance

Once you have performed a detailed audit and identified the key databases and systems that will be impacted by GDPR, you can take the next step—planning for GDPR compliance.

Here, again, you need to focus on individual departments and the many systems that touch the personal data of EU citizens.

The first step here is to assign a single person to each division of your business and task them with developing a plan for compliance. This manager will need to seek out processors, vendors and service providers who handle any data, design steps to obtain user consent and processes to adhere to the various GDPR requirements. These requirements include a right to access, right to be forgotten and right to data portability. This means that EU citizens whose personal data you hold will be able to request access to their data, to have their data deleted and to move their data elsewhere. Additionally, you will need to design a process that can be followed in the case of a breach. Breach notifications under GDPR are stringent and any delay in notification can result in in hefty fines.

Common Mistakes to Avoid in this Window:

  • Assuming all your service providers are GDPR compliant. You need to make sure that every provider you work with that shares your data is compliant and aware of GDPR.
  • Assuming GDPR is one time thing and not planning to keep up any processes. GDPR will be an ongoing effort. You will have new employees, processes and systems that will need to be designed and updated to meet GDPR.

Days 31-60: Implementation

With a plan in place, only then is it time to act. First, you will need to implement user consent procedures to properly acquire and process user data—this is the very first step in handling that core piece of protected information, the personal data of EU citizens.

Next, ensure that you have the correct procedures necessary to investigate, report and detect any breaches of this personal data. For each process that touches personal data, document the process and the owner for each of the processes.

It is also crucial to future proof against GDPR requirements. Identify the processes necessary to keep the current systems and process up to date and implement checks and balances so that nothing goes overlooked. A system may be needed to monitor continued GDPR compliance issues over the years ahead, as new methods are able to be put in place. Finally, during implementation, prepare your staff to on what it means to meet GDPR requirements and how your company is implementing processes to do so.

Common Mistakes to Avoid in this Window:

  • Not spending time in documenting new processes to support GDPR.

Days 61-70: Training

If you only have one person in each department knowledgeable of GDPR, you're likely to run into complications. That is unless you properly train your employees on GDPR and its implications.

You will need to educate employees on what files and data sets are GDPR sensitive and why. It will often be these employees who will be in direct contact with both the users and the data, not individual policy specialists, so they need to be aware of what to do in case of a user inquiry. Any processes that you have put in place to handle user requests— for erasure, portability or otherwise— need to be clearly communicated to individual staff.

Additionally, requirements around breaches and breach notifications have been raised to unprecedented levels and employees need to be aware of how to proceed in the event of a breach. There will be very limited windows for compliance when it comes to breach notification, so employees need to be clear on how to report any possible breach and properly channel an issue as soon as it arises.

Common Mistakes to Avoid in this Window:

  • Given the time frame, complex steps and processes cannot be instilled. Need to focus on simple basic training that employees and partners can quickly learn and follow.

Days 71-90: Test and Audit Again

Finally, during the final days before the regulations go into effect, you should test your systems as well as your employees to make sure that everything runs smoothly. Chances are, you'll find a few kinks in the system that need to be worked out and it's best to find these before, not after.

Run mock "right to access" and "right to be forgotten" requests to ensure that all of your systems are working together and that no personal data is left out. Now is the time to identify issues, test checks and balances and work to improve what you've put in place. With this 90 day plan, you can rest easy knowing that you’ve prepared for the strict measures GDPR will bring.

Common Mistakes to Avoid in this Window:

  • Not running enough test cases to cover all new processes that support GDPR.

About the Author:

Madhan Kanagavel is Founder and CEO of CodeLathe Technologies, a privately-held software company headquartered in Austin, Texas. Over the last 15 years, Madhan has worked on diverse systems and technology, including building highly scalable MMORPG game server technology, high speed real-time video acquisition systems, digital video engagement solutions, and Artificial Intelligence (A.I.). He is an open source enthusiast, and holds a Master’s of Science in Engineering from Boston University.