5 simple steps for GDPR compliance
As the GDPR deadline of May 25, 2018 creeps closer, our thoughts turn to compliance and how to achieve it without losing any (more) hair in the process.
If you have been putting off making the necessary adjustments to your data security, privacy, and governance policies and procedures, keep in mind that the clock is ticking down rather quickly now. The good news is, by following a series of simple steps, you can clear that GDPR smoke screen and get back to doing what you do.
Here are five simple steps you can take to get you GDPR compliant with minimal pain.
1. Data flow mapping and analysis
Data classification is a major step towards GDPR compliance, but this can be particularly complex if your data is stored on physical servers, as any stored backup copies would also need to be accessible in case you needed to remove or edit a record. If you were still using tape backups, the undertaking would be virtually impossible, taking up countless IT hours for something that could be accomplished in a few keystrokes. You need to know how your data flows in and where it goes from there – including its interactions with 3rd party vendors such as shippers, email services, marketing platforms, and so on. With GRSee’s vast experience in governance risk & compliance projects, we have created methodologies that are efficient and has allowed us to successfully support your transformation.
2. Analysis of currently implemented controls
While you likely have some controls in place, each should be reviewed and considered in the context of the GDPR. This should be a step-by-step process in which you examine your data flow to see whether your existing controls are going to be adequate, if you merely need to make some adjustments, or start from scratch. This will include written policies as well as all applicable IT, hardware and software solutions.
3. Review of privacy policies
Privacy policies must be worded more precisely. You must now disclose exactly why you are collecting personal data and how it will be used, stored, and shared among your 3rd party processors. By proxy, this also mandates that you review your 3rd party vendors’ policies as well to ensure they are in compliance.
4. Review SDLC for privacy
Your software development cycle (SDLC), if this applies to you, is going to take a hit as well. The SDLC is affected substantially, in that GDPR requirements will need to be addressed in every stage of the software product lifecycle. This will be necessary in order to remain financially viable in production and avoid costly reworking later on. Problems can be avoided if these issues are addressed as early as possible in the process.
5. Creation of GDPR alignment work plan
Aligning your processes to support best practices in light of the GDPR is crucial. The earlier you begin to map out your transformation, the less tap dancing you will have to do when the law comes into effect on May 25, 2018. Preparation is the first step, followed by the implementation of effective procedures, and finally maintaining your protocols to assure ongoing accountability.
If you have not yet begun your digital transformation, the imminence of the GDPR may help you get started. Speak with GRSee to set up a free consultation.