Every organization has to start somewhere. See where you stand now.
The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, creating challenges for every organization doing business in the EU before, during and after the deadline.
Any entity targeting or monitoring European citizens must comply with GDPR. As the largest change to data protection legislation in the last 20 years, GDPR gives regulators unprecedented power to impose fines, requiring wide-scale privacy changes across organizations—including US-based companies if they conduct business in Europe.
But GDPR also represents a broad opportunity to:
This means adapting now. Not all organizations were compliant as of May 2018, but GDPR regulators need to see that robust plans to become compliant are in the works.
GDPR’s scope and requirements are deep and complex. The regulation requires a programmatic approach to data protection, like “SOX for privacy,” so you should have a defensible program for compliance and be able to prove you’re acting appropriately. Ask your organization these questions:
Strategy and governance
Define an overarching privacy program governance structure, roles and responsibilities designed to coordinate, operate and maintain the program on an ongoing basis.
Privacy policies, notices, procedures and guidelines are formally documented and consistent with applicable laws and regulations.
Cross-border data transfer
Determine cross-border data transfer strategy based on current and future planned data collection, use and sharing.
Data lifecycle management
Create ongoing mechanisms to identify new personal data processing and use activities, and implement appropriate checkpoints and controls.
Individual rights processing
Enable the effective processing of consent and data subject requests, such as data access, deletion and portability.
Privacy by design
Develop a strategy and playbook for “privacy by design” to incorporate privacy controls and impact assessments throughout the data lifecycle for new and changing data use initiatives.
Identify existing security information protection controls and align security practices with GDPR considerations.
Privacy incident management
Align incident response processes with GDPR specifications and reporting requirements. Establish a triage approach to evaluating potential privacy breaches and incidents.
Data processor accountability
Establish privacy requirements for third parties to mitigate risks associated with access to the organization’s information assets.
Training and awareness
Define and implement a training and awareness strategy at the enterprise and individual level.
Your organization may be just getting started—or may already have a GDPR program in place. Here’s what happens on the way to compliance.