The General Data Protection Regulation came into effect on May 25, 2018 and while there was tremendous noise around this event and it seemed as if the end is near, the world is still turning. Some people even compared the GDPR deadline to the Y2K hype. This, however, is a bad comparison because GDPR – unlike the Y2K bug – was not a singular event that organizations can safely ignore after May 25th has passed. Quite the opposite is true: GDPR is here to stay and ensuring compliance is something that organizations have to consider and monitor continually, so that they don’t forget about it and suddenly find themselves non-compliant in the future. So what areas should organizations pay attention to in the long-term to stay out of the GDPR auditor’s crosshairs?
Make sure you have all your bases covered not just right now, but also going forward. Specifically, you want to be paying attention to the following areas:
Maintain appropriate documentation
A very large part of GDPR compliance is to make sure that you have documented which aspects of your organization are impacted. Specifically, this means that you have a document describing who the data controller(s) are, who represents them, and who the responsible Data Privacy Officer is. You will also need to establish the purposes of data processing and a description of the categories of data subjects and of the categories of personal data. If your organization is planning to share this data, especially internationally, you will also have to document the categories of recipients to whom the personal data will be disclosed and what appropriate safeguards have been put in place. Time limits for erasure of different categories of data should also be part of your documentation. In addition, you need to have records of when the data subject gives their consent of the collection and use of their personal data. Lastly, you need to have a general description of the technical and organizational security measures that are implemented.
Here is your GDPR checklist to avoid auditor's crosshairs:
Maintain an understanding of your processes
Organizations need to work across departments and functions to gain and maintain an understanding of where personal data is being used in your business processes. Determine the lawful basis for processing each of them and figure out for which processes a data protection impact assessment (DPIA) is mandatory. Make sure that this understanding is maintained going forward as your business processes change or as new processes get created.
Keep your roles & responsibilities clearly defined
You have probably defined roles and responsibilities in your organization in preparation for GDPR. You also made sure that necessary trainings took place and you ensured the right level of awareness in your organization. Again, don’t regard this is a one-off activity. As your organizations changes, you need to ensure that everything stays clearly defined and that key stakeholders are trained. Also, expect GDPR to change in the coming years, so make sure that you organization stays up to date.
Treat privacy risk just like any other risk factor that you are permanently monitoring
If privacy risk is not part of your standard risk register, add it there. Now apply the same risk management fundamentals to it as you would with any other item in your risk register.
Ongoing internal funding
Make sure that senior management understands that maintaining GDPR compliance requires ongoing funding and sponsorship. Your annual planning needs to include a budget for GDPR compliance related investments and someone from the board should be appointed as a long-term sponsor.
Don’t let your guard down on data governance & keep your data security strategy aligned
Data management in the context of GDPR means data accountability, responsibility as well as policies & procedures. It also means that you have reporting in place to monitor compliance. Your data landscape will change over time. Make sure that your data management & governance captures these changes and aligns them with GDPR requirements.
You will also have to ensure that appropriate technical and organizational measures are (and remain!) in place to ensure that there is adequate security of personal data stored in or processed by your organization’s systems. This actually means that you should have a data-centric security strategy in place by now. Pseudonymization is the magic term here. GDPR describes in a few of its articles that data needs to be protected by such means.
Make no mistake, all the guiding principles above mean a lot of work for your company on an ongoing basis. However, there is little choice in this matter as privacy has never been more important than today and it looks like the sensibility around privacy is actually going to increase going forward. More and more GDPR-like laws and regulations are coming into play, so ignoring the topic is not an option. Get it tackled now. Going forward, treat it as a core requirement in everything your organization does. Otherwise, you will eventually be in the crosshairs of a GDPR auditor.