The countdown is on: The EU’s General Data Protection Regulation (GDPR) goes into effect in May 2018 — approximately just one year from now. Are you ready?
Ensuring compliance with GDPR, which is intended to strengthen and unify data protection for individuals within the European Union, will involve more than just flipping a switch. And whether your business is located in the EU or not, if it processes data about individuals in the context of selling goods or services to citizens of a EU country, your business will need to comply.
Here are three strategies for jumpstarting the process:
- Process Your Processes: Take time to reflect on your current processes and how they must be modified to comply with GDPR standards. Complete an internal audit to assess the processes, systems, internal people and third parties that are in place or need to be put in place to ensure data security compliance. Determine how they work together to establish formal workflows. Generate a process for handling issues and related actions, including breach notifications. Prepare detailed action plans to address any identified gaps in data security.
- Prioritize People: Appoint a data protection officer who can establish ownership around data security and the training of personnel. Further, when you’re assessing your current and future-state workflows, pay special attention to who needs to be involved with what data or which processes and when. Understanding the roles individuals play and when they enter into the picture is important for establishing a fluid cadence of communications and workflows around data security.
- Choose Tools Wisely. Unfortunately, people aren’t enough. If the massive undertaking of being GDPR-compliant by May 2018 requires you to divert resources from other areas of your business, you could be putting your business at risk in other ways. Assess whether you have technology in place, or if you need to invest in technology, to help you to be compliant and efficient at the same time.
The right technology should be able to help you deploy all three of these strategies with ease and efficiency. Such technology should be easy-to use, flexible and most importantly, integrated, to meet the data security compliance demands of the enterprise.
If you currently use risk management technology, or are considering investing in such a system, it might already have the capabilities you need, including:
- Regulatory interaction: Can interactions with regulatory and internal stakeholders be managed within the solution for a complete view of data security needs in one place.
- Management of Contracts and Corporate Policies: Can the solution serve as a central repository for all contracts and policies?
- Ongoing data sharing request management: Can you automate data-sharing request processes efficiently with pass throughs based on existing data-sharing contracts?
- Data request management and governance: Can you manage requests for information?
- Vendor risk management: Can you manage third parties and their ongoing data security access requirements and assessments?
- Reports and dashboards: Can the solution provide comprehensive analytics and an audit trail of the data security activities within the organization for ongoing monitoring/assessment and regulatory needs as required?
Be careful not to invest time, energy and spend in a one-off compliance solution. Instead, consider enterprise-wide risk management technology that can fold in GDPR with all your other risks, too.
To learn more about GDPR and strategies to keep your business compliant, read our white paper.