Guest post from Ray Armstrong, CEO of Saros Consulting. Ray outlines a number of steps that businesses can follow to assess and improve their GDPR compliance.
The European Union’s new General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. The GDPR marks a significant change in the EU data protection and privacy regime. It will repeal and replace the current EU Data Protection Directive, which forms the basis for the existing data protection regimes in Ireland, the UK and across Europe. The GDPR also introduces the principle of accountability, which means that affected organisations will have to work on their internal compliance.
While there is already a significant amount of information about GDPR in the public domain, Saros Consulting and Mason Hayes & Curran have worked together to outline the practical steps required to begin a GDPR, or any compliance journey.
Grounded in industry experience, our paper offers a pragmatic approach to help put your organisation on the road to compliance with the GDPR. I’m going to share some of our knowledge with you here. The full paper is available at http://www.sarosconsulting.com/2017/04/07/yourgdprjourney/
A 4-step approach
These four steps can help an organisation become GDPR compliant.
1.Assessment – understand the organisation’s current data-related environment
2.Gap Analysis – compare the organisation’s current data related environment with the GDPR
3.Remediation – apply knowledge from previous steps to reach compliance
4.Adherence – specify the actions necessary to maintain and update compliance
— Saros Consulting (@SarosConsulting) April 11, 2017
1. Assessment – where you are
The first step involves an assessment of your organisation’s information processes and procedures from the ground up. Data protection compliance should be embedded within the DNA of an organisation, in all of its processes, products and services.
Your assessment should involve a variety of components related to your organisation’s activities, including but not limited to hardware, security, software, contracts, policies and paperwork and training.
2. Gap Analysis – which shortfalls exist
The Gap Analysis compares an organisation’s current data environment against the future compliant environment required by the GDPR.
There are three stages to a Gap Analysis:
1.Analyse the organisation’s current situation
2.Identify the desired future state of compliance you want to reach, i.e. with the GDPR
3.Define the delta between steps 1 and 2
A Gap Analysis will help to identify whether or not the organisation is GDPR compliant. If a requirement of the GDPR is not being met, a gap exists which will require corrective actions.
3. Remediation – what you need to do
Once you have identified gaps in your compliance with the incoming GDPR from your assessment, it is time to take compliance and corrective actions.
Remediation involves the creation of an action plan that will bridge the documented gaps. This plan facilitates moving from a state of non-compliance with the GDPR, to a compliant environment. Possible actions include hardware upgrades, data storage projects, and improvements to software security.
4. Adherence – where you need to be
Once you have taken the required action to reach the desired GDPR compliance for your organisation, the final step is maintaining this status. This will require on-going continued efforts on the part of an organisation and its Data Protection Officer, if one is appointed. Any new business initiatives should be reviewed and their impact assessed to ensure ongoing compliance with the GDPR.
Compliant organisations will require sustained engagement and monitoring from legal, regulatory and IT perspectives to ensure that current and future data-related activities, including any new business initiatives, meet GDPR standards.
The one-stop-shop mechanism implemented by the GDPR means that organisations will be subject to a single supervisory authority, even where they have a number of establishments across the EU. Each supervisory authority has the power to carry out investigations in the form of data protection audits. They may access any premises and review any data processing equipment and means, thus on-going GDPR compliance is critical.
Organisations that control personal data are required to maintain a record of any personal data breaches to enable the supervisory authority to verify compliance with the controller’s notification obligation.
To make sure that organisations are able to maintain their data protection obligations, the concepts of privacy by design and privacy by default should be incorporated into the DNA of an organisation, throughout the development, design, selection and use of applications, services and products.
Where to from here?
The GDPR will have a tangible impact upon European organisations when it comes into effect on 25 May 2018.
The road to compliance will involve the implementation of, and continuous adherence to new standards. Compliance with GDPR will not be a box ticking exercise and may require the assistance of experienced professional advisers.