How to Prepare for the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is fast approaching and officially enacted on May 25, 2018, in Europe, and it will have a critical impact on organizations around the globe which can even include bankruptcy.
GDPR is a European Union legislation that is designed to protect the fundamental rights of citizens and their personal data. This law ensures not only that people know where their private data is kept, but keeps organisations accountable and transparent with their practices. This new regulation not only shifts the standards for how organizations store data, it changes how they relate with data in general.
At SmartSimple, we want to help you not only be informed about GDPR, but be confidently compliant with it so that your organization is ready and safe from heavy consequences. This is why we’ve broken down the different elements into our S.I.M.P.L.E model and providing real, practical strategies to comply with the upcoming regulation.
Read on and be ready. We are here to help.
Sharpen Security and Privacy By Design
Review your security and data protection protocols. Engage your data processing software providers to find out how they can work with you to guarantee compliance.
Create a manual that will help your organization develop best practices regarding GDPR and security awareness
Breach and data attacks happen all the time, and it can happen with a simple click of a wrong link in a spam email. By developing a manual or utilizing available training resources with concrete practices of how to identify potential data risks, it will decrease your chances of suffering from a breach in the future and staff will be informed and knowledgeable.
Implement consistent data protection techniques
In order to protect the data of your clients, utilize SmartSimple’s various security protocols within the system. Some of these include:
- Encryption: the process of converting information or data into a code to prevent unauthorized access.
- Pseudonymization: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately.
Each of these auditable processes ensures that your collected data is protected from a potential breach and data hacking.
Develop a data protection template to be included in upcoming projects
Make sure your implementation processes are not reactive by developing compliance in important projects you’re working on now. By creating a structured process for data protection accountability assessments, you’ll be more prepared when the regulation takes effect.
Implement Relevant Procedures
Each organization is different, so ensure that your data protection plan is tailored to your unique needs and processes.
Designate a Data Protection Officer (DPO)
Under the new regulation, you must appoint a Data Protection Officer (DPO) if your company does any of the following:
- Exceeds 200 employees
- Processes or stores large amounts of EU citizen personal data (this includes international companies)
- Processes large amounts of special categories of data which includes sensitive data involving health, religion, race, sexual orientation, etc.
- Regularly monitors data subjects (people and entities)
- Are a public authority (an entity that’s supported directly or indirectly by the government)
The responsibilities of a DPO is to educate the company on the important compliance requirements, training staff involved with data processing and conducting periodic security audits. As a DPO, you will be also be the main contact for all GDPR matters for your clients.
Create a Data Protection Policy
One of the integral elements of being GDPR compliant is updating your current Data Protection Policy to reflect the new changes. Policies are documents that create principles.
Within the policy, include key elements that include explicit reasoning why the policy is needed, existing technical and organizational measures, and documentation of how the policies will be implemented.
Create a public statement to your clients about GDPR and list out how you’re complying with all aspects of the new regulation
One impactful way to build trust and safety with your clients is to proactively write a public statement and address your commitment to GDPR compliance on your website. This creates transparency in your communication while opening space for dialogue and accessibility to answer questions from your audience. Another option is to become certified as compliant with an authorized code of conduct.
Make Transparency Your Priority
One of the key themes of the GDPR is transparency. Foster transparent processes in your organization through increasing communication and documentation, and build trust along the way.
Review and update customer privacy notices to reflect the new transparency and accessibility requirements of the GDPR
In (an) effort to keep everyone informed, make sure your privacy notices are compliant with GDPR standards and clearly expressed to your clients.
Use video as a medium to explain GDPR
Video is a great way to connect with your audience. It not only delivers the information in a conversational, human way, it also keeps your audience engaged with the information you’re delivering.
Create responsive and layered information notices
There’s a lot you can do to promote transparency on a website design level. You can deliver clarification and details of GDPR terms by using hover notices. This promotes a level of thoroughness that will instill trust in your clients.
Protect the Rights of Your Clients
The GDPR places the responsibility of facilitating a data subject’s rights on you, the controller.
Develop a GDPR compliant checklist that you must complete BEFORE you process and collect data from a subject
Implementing a structured checklist will help make sure you’re not infringing on your client’s rights. Remember, it’s your job as a controller to be facilitating these rights. Having a tangible document gets all of the granular requirements out of your head and onto paper, making for a more stress-free experience. This checklist also serves as a form for future auditing.
Make sure the information you need to provide the data subject is accessible in plain language
Transparency is a major component with GDPR, and the simplest way you can express information to your clients is the best way. Make sure to write your GDPR-related material in a way that a child would understand.
Look Over Your Current Practices
Take time to thoroughly and critically assess what your organization is currently doing, and amend what falls short of compliance. A deep knowledge of your processes will make your road to compliance much smoother.
Implement SmartSimple’s GDPR Self-Assessment Workbook
This Workbook provides our S.I.M.P.L.E. model that lays out a series of questions to help guide you in pinpointing areas in need of improvement.
Empower Your People
Empower both your clients, and your employees, through education and communication. GDPR doesn’t just affect the IT department, it makes a great impact into how your organization processes information as a whole. Every part of your company is accountable.
Create a GDPR task force
Get more of your staff actively engaged in making sure you’re GDPR-ready. Not all responsibilities should fall on your DPO, you can create a whole team working on preparing and implementing new company-wide practices.
Put together training materials to raise staff awareness of the new rules under the GDPR
From onboarding of new hires to continuing education for current staff, educational materials on GDPR should be integral in raising awareness in every department.