GDPR Compliance: A Risk-and-Readiness Checklist

By now, you know whether the European Union’s General Data Protection Regulation or GDPR’s strict and far-reaching data and privacy protection laws apply to your organization.
What may not be as clear is what pursuing compliance means to you. How it may affect your operations. And finally, which aspects of GDPR you and your team should be considering right now.

GDPR

GDPR: opportunity or obstacle?

For many US firms, complying with GDPR is a little of both. For example, if you don’t currently compete in Europe, your investment in compliance could open the door to new sales and growth opportunities in the EU’s 28 member states. Compliance also earns you the right to pursue millions of new European customers. And that is without fear of the severe financial penalties regulators have set forth. Also, according to Forbes, there are business benefits including:

·      Enhanced cybersecurity

·      Improved data management

·      Better marketing returns

·      Greater trust from current and future customers

On the flip side, aligning with the GDPR gives European customers. And they buy your products or services greater control over your operations–specifically, how you collect, process, store, and dispose of their personal information. It’s not cliché to call this change a true ‘paradigm shift’ in data management. As one European data-governance expert puts it: “Compliance is all about understanding that individuals now own their personal data; you’re merely hosting it for them.”

What to do

Establishing and proving GDPR compliance may also require a significant financial investment. That is for updating processes, infrastructure and manpower resources, including adding staff, such as a Data Protection Officer. To determine where you are right now and how far you’ve left to go, here are some tips. We give you questions to take up with your team, including your legal counsel, internal business and technical leaders, and IT Managed Services Provider.

Know your data.  Under GDPR, you’re responsible for identifying and securing any and all data that your business retains. Depending on your company’s size and type, this may be a smaller or larger task. Such in-depth self-examination may be new for many firms, and therefore potentially onerous.  Just know that compliance requires you to respond to questions like these, from auditors, customers or others whose data you hold:

·      What kind of information do you store?

·      Where does the data come from?

·      Where is the data stored?

·      What is it used for?

·      How is it secured?

·      Who has access to your data?

·      How much information is sensitive or personally identifiable?

·      Could you collect less data and still get by?

What to ask

One more thing: in this brave new world you will be required to display something called
‘fair processing notices’. It include many of the points above, as well as an explanation of where else you may send user data, and how long you intend to store it. However be forewarned. “Existing Privacy Notices are unlikely to be sufficient to comply with the regulations, which lay out new detailed requirements that Privacy Notices must meet,” cautions EU business and legal analysts at Lexology.

Check your consent policies. If your data collection requires it, the methods you use to obtain user consent, as well as the language explaining your opt-in practices, must be clear and explicit. No more pre-ticked checkboxes. No more other info-gathering mechanism that regulators could consider tricky or deceptive. Points to review with your team include:

·      What is our current opt-in policy?

·      Specifically, what are users opting in to receive?

·      Can we prove that consent is specific, unambiguous and freely given–from everyone in your database?

If not, consider emailing the whole lot again and  resoliciting their opt-in consent.

Get help if you need it

Use the tips above, and those you gather from other sources. Conduct a thorough audit of your data collection, handling, storage and disposal practices and policies. Consider asking your team to refresh its knowledge GDPR’s 11 Chapters and 99 Articles.

If you find there’s room for improvement and/or steps needed that exceed your available time, expertise or resources, give TeamLogic IT a call and tell us how we can help.

 

TeamLogic IT of Plano, TX is part of a fast growing nationwide network of businesses offering state-of-the-art solutions to small and medium-sized organizations. Through consulting services and a comprehensive array of services, TeamLogic IT addresses the needs of all levels of IT systems.