The new General Data Protection Regulations (GDPR) went into effect May 25, 2018. These European regulations ALSO apply to US companies who collect, maintain, or process personal data for individuals living in the European Union.
The monetary fees for non-compliance can reach over €20 million (approximately $23.2 million USD), but the reputation damage incurred can cost you your entire business.
Learn how to comply with GDPR and avoid costly mistakes with these tips.
1. Know Your Data
You likely know what your business process flows are, but map them to review what data you generate. Look at the types of personal data your business collects, stores and shares. Don’t forget to review internal data like personnel information as well as customer data.
2. Determine What Data You Need
Create lists and categorize data. Look at the purpose of personal data you keep to decide what you really need. Remember, the more you have, the more you can be fined for.
3. Decide What to Keep and Delete
Is your company a data controller, data processor or both?
Data controllers are companies that decide how customer data is to be processed and the purpose of the data. Data processors are companies that process that data for the controllers. Based on how your business fits into the controller and processor roles, start weeding out unnecessary data.
Related: Keeping Your Business Secure Online
4. Choose How Long Data Must Be Kept
Now that you have a clearer picture of the personal data you need for business operation, choose a relevant time period for storage. Your customers will need to know how long you plan on keeping their data and the process for requesting copies of their data usage. You’ll also need a process for how they can request to remove their data from your system.
5. Review Who Has Data Access
If you employ a 3rd-party processor, review its privacy policies to ensure compliance. Don’t be afraid to ask for clarification on GDPR issues. When the data originates with your company, you’re responsible to whoever you grant data access.
6. Define Who You Share Data With
Your processor may not be the only entity you share data with. Now is a great time to define exactly who data can be shared with as well as why. Be sure to include this in your own privacy policies.
7. Review Security Measures
Security breaches are a major issue in GDPR compliance. Look at past and present security for all of your protected data. Make any necessary changes, address training gaps and make certain that personal data is secure in all your business process flows.
8. Implement Safe Storage Protocols
Know where you store your data. How safe is it? If you can’t answer that, it’s time to reevaluate storage protocols. Implement awareness trainings for staff so that protected data isn’t being stored in places it shouldn’t be. Also remember to focus your time on robust security tools and strategies.
9. Update Your Privacy Policies
As previously discussed, under the GDPR, customers have the right to request records and removal of their personal data from your systems. Update all of your privacy policies to include these process requests.
Companies can no longer assume consent to policies in the absence of an action. Make policies clear that the customer must give consent. When policies are updated, customers must also accept the new policies, even if they had previously given consent.
10. Appoint a Data Protection Impact Process and Officer
Implementing a data protection impact process means non-stop management of data. It may be suitable to assign these duties to a single data protection officer or a small team of data managers to ensure that testing and data protection processes run smoothly. This person or team can also address issues quickly without the distractions of other duties.
Still not sure if your company falls within GDPR compliance? Let’s have a chat and explore your unique situation. With proper preparation, you can gain and maintain GDPR compliance and avoid hefty fines.