Preparing for the GDPR: Start By Understanding The Data That You Hold
The GDPR (General Data Protection Regulation) is a new EU regulation created to strengthen data protection for individuals within the European Union, including data used outside the EU. It will affect not only businesses with a physical presence in the EU, but also any business offering goods or services to EU citizens, including online commerce, like Facebook or Google. To avoid being sanctioned, where should an organization start from in terms of getting ready for GDPR before the deadline?
Compliance with the new regulation starts by furnishing answers to some basic questions to understand your company’s data:
- What personal data are you collecting and why are you collecting it?
- What is the purpose for processing the data?
- Where did the data come from and who is it shared with?
- Where is the data stored (database, reports, files, cloud storage, USBs, etc.)?
- Who has access to it (contractors, employees, third parties, etc.) and do they know how to use it in a way that minimizes the risk of a data breach?
When you know all this, you should work out which data is necessary and what you don’t need to collect, and stop collecting it. You also need to create a standardized process for informing users about how you intend to use their information – and eventually gaining their consent to do so.
This first step to comply with the GDPR is called a data protection audit. You may need to launch it across the entire organization or within particular business areas. Doing this will also help you comply with the GDPR’s accountability principle, which requires organizations to be able to demonstrate how they comply with the data protection principles in practice.
To prove that, you should document everything and maintain a record of your processing activities, as required by the GDPR, article 30. For example, if you have inaccurate personal data and have shared this with your subcontractor, you will have to tell that subcontractor about the inaccuracy so he can correct its own record. And you won’t be able to do so this unless you know what kind of personal data you hold, where it came from and who is it shared with.
So, GDPR is all about information and protecting it, no matter where it is. Understanding the company’s information is the essential first step: perform an audit on all of your data, policies and procedures, which you can then record and create benchmarks from the GDPR to see your level of readiness and identify the redflags which require urgent attention.