The first few steps of your EU General Data Protection Regulation (GDPR) compliance project can be the most confusing. Where to start, who should be involved and how to meet all your obligations are just a few of the questions you will undoubtedly ask, and the entire process can seem incredibly daunting.
What is the GDPR and does your organisation need to comply?
The GDPR demands greater accountability and transparency from organisations in how they collect, process and store personal information. It will be enforced from 25 May 2018.
All EU organisations, and non-EU organisations that monitor the behaviour of or offer goods and services to EU residents, must comply with the Regulation.
GDPR compliance is not a choice, nor is it just a matter of ticking a few boxes.
The Regulation demands that you are able to demonstrate compliance.
This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.
Implementing an appropriate compliance framework will enable you to avoid significant fines and reputational damage, as well as showing customers that you are trustworthy and responsible.
Tackle immediate priorities to prove GDPR compliance
If you are only just beginning your GDPR compliance project, it is unlikely that you will be fully compliant by 25 May. However, steps can be taken to prove that you are making an effort to comply.
Our recent blog, GDPR priorities in the lead up to May, outlines the activities that you should prioritise in the next three months.
Kick-start your GDPR compliance project
If you are just starting your GDPR project, we recommend you read March’s book of the month, EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide, which provides comprehensive guidance and practical advice on implementing a compliance framework.
Topics covered in this bestselling guide include:
- The data protection officer (DPO) role, including whether you need one and what they should do;
- Risk management and data protection impact assessments (DPIAs), including how, when and why to conduct one;
- Data subjects’ rights, including consent and the withdrawal of consent, subject access requests (SARs) and how to handle them, and data controllers and processors’ obligations;
- International data transfers to ‘third countries’, including guidance on adequacy decisions and appropriate safeguards, the EU-US Privacy Shield, international organisations, limited transfers and Cloud providers;
- How to adjust your data protection processes to comply with the GDPR, and the best way of demonstrating that compliance; and
- A full index of the Regulation to help you find the Articles and stipulations relevant to your organisation.