GDPR Compliance symbolized by a little map of Europe with a lock on it.

How to Meet the New GDPR Compliance Requirements

The new General Data Protection Regulations (GDPR) went into effect May 25, 2018. These European regulations ALSO apply to US companies who collect, maintain, or process personal data for individuals living in the European Union.

The monetary fees for non-compliance can reach over €20 million (approximately $23.2 million USD), but the reputation damage incurred can cost you your entire business.

Learn how to comply with GDPR and avoid costly mistakes with these tips.

1. Know Your Data

You likely know what your business process flows are, but map them to review what data you generate. Look at the types of personal data your business collects, stores and shares. Don’t forget to review internal data like personnel information as well as customer data.

2. Determine What Data You Need

Create lists and categorize data. Look at the purpose of personal data you keep to decide what you really need. Remember, the more you have, the more you can be fined for.

3. Decide What to Keep and Delete

Is your company a data controller, data processor or both?

Data controllers are companies that decide how customer data is to be processed and the purpose of the data. Data processors are companies that process that data for the controllers. Based on how your business fits into the controller and processor roles, start weeding out unnecessary data.

Related: Keeping Your Business Secure Online

4. Choose How Long Data Must Be Kept

Now that you have a clearer picture of the personal data you need for business operation, choose a relevant time period for storage. Your customers will need to know how long you plan on keeping their data and the process for requesting copies of their data usage. You’ll also need a process for how they can request to remove their data from your system.

5. Review Who Has Data Access

If you employ a 3rd-party processor, review its privacy policies to ensure compliance. Don’t be afraid to ask for clarification on GDPR issues. When the data originates with your company, you’re responsible to whoever you grant data access.

Related: How to Manage Your Business Technology

6. Define Who You Share Data With

Your processor may not be the only entity you share data with. Now is a great time to define exactly who data can be shared with as well as why. Be sure to include this in your own privacy policies.

7. Review Security Measures

Security breaches are a major issue in GDPR compliance. Look at past and present security for all of your protected data. Make any necessary changes, address training gaps and make certain that personal data is secure in all your business process flows.

Related: GDPR: How Does This New Regulation Affect U.S. Firms?

8. Implement Safe Storage Protocols

Know where you store your data. How safe is it? If you can’t answer that, it’s time to reevaluate storage protocols. Implement awareness trainings for staff so that protected data isn’t being stored in places it shouldn’t be. Also remember to focus your time on robust security tools and strategies.

9. Update Your Privacy Policies

As previously discussed, under the GDPR, customers have the right to request records and removal of their personal data from your systems. Update all of your privacy policies to include these process requests.

Companies can no longer assume consent to policies in the absence of an action. Make policies clear that the customer must give consent. When policies are updated, customers must also accept the new policies, even if they had previously given consent.

10. Appoint a Data Protection Impact Process and Officer

Implementing a data protection impact process means non-stop management of data. It may be suitable to assign these duties to a single data protection officer or a small team of data managers to ensure that testing and data protection processes run smoothly. This person or team can also address issues quickly without the distractions of other duties.

 

Still not sure if your company falls within GDPR compliance? Let’s have a chat and explore your unique situation. With proper preparation, you can gain and maintain GDPR compliance and avoid hefty fines.