The hardest part of any journey is taking that first step. The GDPR journey (and it is a journey) begins inauspiciously with some simple steps. At CENTRL, we consistently recommend our clients to build and implement their GDPR programs in phases. I tell my clients, GDPR is as much about the effort as the results. Auditors want to see your organization is taking GDPR compliance seriously and will likely be more forgiving in case of an unforeseen problem.
We know that GDPR will evolve in both scope and its adoption by other countries around the world. Data privacy, natural person's rights to their personal data, and misuse of data are going to be hallmarks for the foreseeable future.
As I said earlier, the difference between GDPR compliance and noncompliance (and related fines) is directly related to your, your management's, your peers' and your entire organization's commitment to protect an individual's data within your company's infrastructure. The first step in this organizational commitment is you. You need to become educated in GDPR, be an evangelist and most importantly protect your organization from unwanted publicity, fines and loss of customer goodwill and loyalty associated with a misuse of company data.
But enough of a preamble, let's take the first few steps on your GDPR journey.
Get educated. It's unrealistic that you'll know every GDPR nuance or every word within its 260-page regulation, but that doesn't preclude you from being armed with a baseline of knowledge to start the process. (Remember, this is the first step).
Join industry associations like IAPP, which has local chapters and often hosts informational seminars. You'll learn from each seminar's speaker, but you'll also learn from others who are wrestling with their own organization's GDPR compliance.
You need to educate and motivate peers and your management. They need to understand the potentially immense costs of noncompliance, which go far beyond just the large fines that can be levied.
Document, document and document. If you are audited, the first question an auditor will ask is "How are you?" but I can assure you that the next question will be, "Can I see your documented GDPR processes?" If you don't have your data mapped, processes documented, training program chronicled and other pertinent information easily accessible, you will demonstrate your lack of preparation and commitment to GDPR compliance.
Discover where your private data resides, how it's used, who uses it and when it's used. Equally important, is your data being shared with other parties (processors)? Why is it being shared? Are these processors of private data in compliance with GDPR? You need to look beyond your own customer database and look at your employees, your job applicants and any other personal data held by any group within your company. One more thing companies often overlook is understanding what personal data is currently being gathered? Are there mechanisms for capturing new personal data that should be reviewed or potentially discontinued? Do you have employees in GDPR-regulated countries? If so, you need to analyze their employee record data flow and ensure their data complies with GDPR.
Now that you documented your data flows, you will need to know who has access to that data. Are there people who have access to your organization's private data who don't need it? Or should they only be allowed to see certain aspects of a person's data?
Create a gap analysis. By now you've seen specific areas for improvement. Again, document those gaps and get management to acknowledge these gaps. Remember, GDPR compliance is a journey so you may find new gaps in the future and those can be added. I've seen companies name their first review as their "Initial Gap Analysis."
Devise a plan to address the gaps. You found the gaps now how can you, your peers, management and other departments remedy these deficiencies? This can take some time because you will need to win the support of others, get their recommended solutions and devise an implementation plan to correct your deficiencies. Again, documentation is key here in case you get audited.
Your gap analysis will entail new processes. Rather than trying to build your own tools, look at vendors (like CENTRL) who can provide software, templates and workflows for compliance assessments, data mapping and data inventory tools. Although there are vendors who can sell you an enterprise platform for GDPR compliance, it's probably overkill for your needs. On the other end of the GDPR tool spectrum are Excel spreadsheets which are not scalable and not a good long-term solution. To address the void between Excel and expensive enterprise solutions, CENTRL provides tools that focus on delivering a comprehensive GDPR compliance solution at an affordable price.
In future steps, you may need to appoint a Data Privacy Officer, create a process for thorough and ongoing physical and IT system security assessments, devise a complete training program for current and new employees and find a lawyer and PR firm just in case of a major event.
These steps are by no means exhaustive, but they describe the first steps a motivated individual can take to become and maintain GDPR compliance. Take the first step and start your journey toward protecting your company's data and your company's ongoing success.
For more information on the CENTRL GDPR compliance platform, click here.