How to Prepare for the General Data Protection Regulation (GDPR)

By -

The General Data Protection Regulation (GDPR) is fast approaching and officially enacted on May 25, 2018, in Europe, and it will have a critical impact on organizations around the globe which can even include bankruptcy.
GDPR is a European Union legislation that is designed to protect the fundamental rights of citizens and their personal data. This law ensures not only that people know where their private data is kept, but keeps organisations accountable and transparent with their practices. This new regulation not only shifts the standards for how organizations store data, it changes how they relate with data in general.
At SmartSimple, we want to help you not only be informed about GDPR, but be confidently compliant with it so that your organization is ready and safe from heavy consequences. This is why we’ve broken down the different elements into our S.I.M.P.L.E model and providing real, practical strategies to comply with the upcoming regulation.
Read on and be ready. We are here to help.

Sharpen Security and Privacy By Design

Review your security and data protection protocols. Engage your data processing software providers to find out how they can work with you to guarantee compliance.
Create a manual that will help your organization develop best practices regarding GDPR and security awareness
Breach and data attacks happen all the time, and it can happen with a simple click of a wrong link in a spam email. By developing a manual or utilizing available training resources with concrete practices of how to identify potential data risks, it will decrease your chances of suffering from a breach in the future and staff will be informed and knowledgeable.



Implement consistent data protection techniques
In order to protect the data of your clients, utilize SmartSimple’s various security protocols within the system. Some of these include:
  • Encryption: the process of converting information or data into a code to prevent unauthorized access.
  • Pseudonymization: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately.
Each of these auditable processes ensures that your collected data is protected from a potential breach and data hacking.



Develop a data protection template to be included in upcoming projects
Make sure your implementation processes are not reactive by developing compliance in important projects you’re working on now. By creating a structured process for data protection accountability assessments, you’ll be more prepared when the regulation takes effect.

Implement Relevant Procedures

Each organization is different, so ensure that your data protection plan is tailored to your unique needs and processes.
Designate a Data Protection Officer (DPO)
Under the new regulation, you must appoint a Data Protection Officer (DPO) if your company does any of the following:
  • Exceeds 200 employees
  • Processes or stores large amounts of EU citizen personal data (this includes international companies)
  • Processes large amounts of special categories of data which includes sensitive data involving health, religion, race, sexual orientation, etc.
  • Regularly monitors data subjects (people and entities)
  • Are a public authority (an entity that’s supported directly or indirectly by the government)
The responsibilities of a DPO is to educate the company on the important compliance requirements, training staff involved with data processing and conducting periodic security audits. As a DPO, you will be also be the main contact for all GDPR matters for your clients.
Create a Data Protection Policy
One of the integral elements of being GDPR compliant is updating your current Data Protection Policy to reflect the new changes. Policies are documents that create principles.
Within the policy, include key elements that include explicit reasoning why the policy is needed, existing technical and organizational measures, and documentation of how the policies will be implemented.



Create a public statement to your clients about GDPR and list out how you’re complying with all aspects of the new regulation
One impactful way to build trust and safety with your clients is to proactively write a public statement and address your commitment to GDPR compliance on your website. This creates transparency in your communication while opening space for dialogue and accessibility to answer questions from your audience.  Another option is to become certified as compliant with an authorized code of conduct.

Make Transparency Your Priority

One of the key themes of the GDPR is transparency. Foster transparent processes in your organization through increasing communication and documentation, and build trust along the way.
Review and update customer privacy notices to reflect the new transparency and accessibility requirements of the GDPR
In (an) effort to keep everyone informed, make sure your privacy notices are compliant with GDPR standards and clearly expressed to your clients.
Use video as a medium to explain GDPR
Video is a great way to connect with your audience. It not only delivers the information in a conversational, human way, it also keeps your audience engaged with the information you’re delivering.
Create responsive and layered information notices
There’s a lot you can do to promote transparency on a website design level. You can deliver clarification and details of GDPR terms by using hover notices. This promotes a level of thoroughness that will instill trust in your clients.

Protect the Rights of Your Clients

The GDPR places the responsibility of facilitating a data subject’s rights on you, the controller.
Develop a GDPR compliant checklist that you must complete BEFORE you process and collect data from a subject
Implementing a structured checklist will help make sure you’re not infringing on your client’s rights. Remember, it’s your job as a controller to be facilitating these rights. Having a tangible document gets all of the granular requirements out of your head and onto paper, making for a more stress-free experience. This checklist also serves as a form for future auditing.



Make sure the information you need to provide the data subject is accessible in plain language
Transparency is a major component with GDPR, and the simplest way you can express information to your clients is the best way. Make sure to write your GDPR-related material in a way that a child would understand.

Look Over Your Current Practices

Take time to thoroughly and critically assess what your organization is currently doing, and amend what falls short of compliance. A deep knowledge of your processes will make your road to compliance much smoother.
Implement SmartSimple’s GDPR Self-Assessment Workbook
This Workbook provides our S.I.M.P.L.E. model that lays out a series of questions to help guide you in pinpointing areas in need of improvement.


Empower Your People

Empower both your clients, and your employees, through education and communication. GDPR doesn’t just affect the IT department, it makes a great impact into how your organization processes information as a whole. Every part of your company is accountable.
Create a GDPR task force
Get more of your staff actively engaged in making sure you’re GDPR-ready. Not all responsibilities should fall on your DPO, you can create a whole team working on preparing and implementing new company-wide practices.
Put together training materials to raise staff awareness of the new rules under the GDPR
From onboarding of new hires to continuing education for current staff, educational materials on GDPR should be integral in raising awareness in every department.

While all of this may seem daunting, remember that you can contact us with any questions and we're more than happy to help you get GDPR-ready. And always live by this mantra...


Comments

Post a Comment

Popular posts from this blog

Introducing 24/5 Technical Support

By Anonymous -
Image
Real technical support from a real human, at any hour. We’re launching round-the-clock technical support 24 hours a day, 5 days a week. From Sunday at 4pm Eastern Time to Friday 9pm Eastern Time, our clients will have access to live support. GMT: 9 pm Sunday to 2 am Saturday EST: 4 pm Sunday to 9 pm Friday PST: 1 pm Sunday to 6 pm Friday AEST: 8 am Monday to 1 pm Saturday “When you have to burn the midnight oil to get your job done it’s important to know you won’t have to wait till the morning to get answers. You can call us up and talk to a real human being any time of the week, day or night”.   — Mike Reid, Co-Founder of SmartSimple We take support seriously, which is why we’re pioneering this model as the first in our industry. We’re in the empowerment business, and as such, it’s part of our responsibility to help our clients to get the most out of the SmartSimple platform every step of the way. We at SmartSimple take pride in our delivery of excellent service to o
Read more

SmartSimple Attends the Conference Board of Canada’s Corporate Social Responsibility Conference

By Anonymous -
Image
On October 29 th and 30 th , the SmartSimple team took part in the very first Corporate Social Responsibility (CSR) Conference. Hosted by the Conference Board of Canada, the event took place at the Hilton in Toronto, Canada. The theme for this inaugural event was Delivering Meaningful Impact. Sarah Jane Nicholson and David Resnick welcome participants. “We really enjoy attending events like this,” says David Resnick, Director, Strategic Initiatives and Product Placement, “We always appreciate the opportunity to share the power of SmartSimple with organizations looking to easily manage and run their CSR activities. Plus, it’s great to speak to our existing clients and hear about how well SmartSimple is working for them.” Also in attendance from SmartSimple’s Toronto team were Sarah Jane Nicholson, Relationship Manager, and our new Inside Sales Manager, Alvin Thompson. This summit gave participants the chance to learn, explore and discuss best practice strategies for compan
Read more

Dedicated vs. Non-Dedicated Servers – What’s best for me?

By Anonymous -
Image
More and more business today is being done in the cloud. While this offers amazing flexibility and accessibility advantages, everything you use in the cloud still needs to be physically stored somewhere, and that’s the role a server plays in your system. There are two types of servers you can use; a dedicated server or a non-dedicated server. Google's server farm in Douglas County, Iowa What’s the Difference? A non-dedicated server means your server is “hosted” in a shared environment with other, separate organizations.   A dedicated server is your organization’s own server and only contains your data. Why would my organization choose one option over the other? The answer to this question really depends on the classification level of your data, the governance rules of your organization and your country’s data sovereignty laws. That’s really not as complicated as it sounds. Data classification is all about how sensitive your data is and, therefore,
Read more