A step-by-step guide to GDPR compliance

By Pete Zimmerman, VP of services, Sonian

According to a recent study conducted by Veritas Technologies, nearly one third of surveyed organisations from around the globe report being ready to comply with the upcoming Global Data Protection Regulation (GDPR) – mandated by European officials to strengthen and unify data protection for all individuals within the European Union. When asked about specific GDPR provisions, however, the majority of those same surveyed organisations revealed that they were not actually in compliance; in fact, only 2% were found to be GDPR compliant.

This is a problem. While it’s true that GDPR does not officially go into effect until May 25, 2018, there is a lot that businesses need to do in order to prepare for the impending regulation: the GDPR contains 99 articles that outline requirements relating to how personal data is processed and stored, how consent is attained and how data breaches should be reported (among many other things). If businesses fail to comply, they could face penalties as severe as having to pay the greater of $23M/€19M or 4% of global revenue.

To avoid costly penalty fees, businesses affected by GDPR (i.e., any that collect or retain personally identifiable data from individuals in Europe) need to take steps to ensure compliance – and fast. Here is a checklist for getting everything done on time:

Q3 2017

  • Get each business unit on board: At this point, organisations should have already connected with each of their departments to ensure all teams understand what GDPR is and how it could impact the ways in which they work. Now, it’s up to business leaders to communicate what unit heads need to do from an operational standpoint to ensure compliance is achieved before the rule goes into effect next spring. Departmental tasks may involve things like reviewing security controls and scheduling time with auditors to identify where there may be holes in their compliance.
  • Evaluate partners’ compliance strategies: Unfortunately, it’s not enough for businesses to ensure their internal teams are taking strides to adhere to GDPR policy. They also need to make sure that any organisations they are associated with (partners, vendors, etc.) are taking the proper steps to protect personally identifiable information given to them by their company.

For instance, if a company provides a vendor with information about individual European customers, and that vendor is not GDPR compliant, regulators could trace the information back to the company and fine them for failing to take comprehensive steps to protect their customers’ data. To avoid this from happening, businesses should ask partners and vendors to provide them with a proof of GDPR compliance.

Q4 2017

  • Identify shortcomings: Having reviewed security controls, met with auditors and connected with vendors and partners about their compliance strategies, organisations should at this stage have a clear sense of where they are in good shape and where they need to direct more resources to remedy any issues. Companies should make a list of their shortcomings and develop plans for resolving them.
  • Hire a Data Protection Officer: Already a busy time, Q4 may be made hectic with organizations scrambling to amend compliance issues. To stay organised and on track, businesses should appoint a Data Protection Officer (DPO) to ensure that their data security and GDPR compliance strategy is being carried out. For some companies, a DPO is a non-negotiable. The GDPR mandates that companies that process or store large amounts of EU citizen data, regularly monitor data subjects or are a public authority appoint a DPO.

The DPO may already exist at their organisation (perhaps under a different title, such as Director of Security), or may need to be hired or outsourced. Not only will this individual be instrumental in preparing the company for GDPR compliance, but guiding it once the regulation takes effect – helping to manage any unforeseen hurdles or new provisions.

If organisations follow this checklist, they should be well-positioned for GDPR compliance success by the New Year, using Q1 2018 to make any last-minute adjustments.

While GDPR preparations are a bit daunting, the regulation represents a positive step in helping businesses protect sensitive data. All too often “rules” are misinterpreted as vague suggestions. With its specific provisions and significant penalties, GDPR leaves little room for misinterpretation. Businesses have a clear set of guidelines for what needs to be done – and now, hopefully, a timeline for when it needs to be done. Let’s get to work.

Pete Zimmerman leads Sonian’s Saas Operations