GDPR has brought in place many changes to data processors and controllers globally. Companies must consider how they are affected by the new regulations, and what changes they must make to stay compliant. Data subjects have increased rights over their data, data controllers and processors have additional responsibilities and authorities have the power to impose significant fines, in a nutshell.
How are you getting your organization ready for GDPR compliance? Here is a template project plan to help you on your journey to GDPR compliance. There’s no catch, no paywall, no requests for your email to get this information. Standard disclaimer — I am not a lawyer, and you should not substitute this for legal advice on GDPR.
Define your role
Are you a data controller, or data processor? This is the first question you must answer. If your direct customers are individuals who are EU citizens, you are a data controller. If your customers are other companies (whose customers are EU residents), you are a data processor. Remember that your customer may not necessarily be a European company — a US company may have EU citizens as customers, and thus come in scope of GDPR.
At the same time, you are a data controller for the visitors to your website. If you have an office in Europe, you are a controller for the data of your employees.
Diagram data flows
Once you’ve established your role, draw up a diagram of how data moves through your company. Where is it collected, stored, who has access, any vendors you use, and finally, how is it erased. This applies to your product, mobile app, website, any chat widget you put on your website, sales and marketing leads/prospects, candidate hiring system, HR records, and employee expense reimbursement system. Make sure to list down all the vendors and tools you use.
Make changes
Your product should have the ability to edit, delete, and export individuals’ data if requested. Make sure you are collecting the minimum amount of data necessary to deliver your service or allow your product to function. Don’t retain data beyond a reasonable time period. If you carry out any automated decision making, profiling or data enrichment, give an option for individuals to opt out of it. Disclose your privacy policy and terms of service, after ensuring they accurately reflect your policies for compliance. For your website, put up a notice that informs users of the cookies you use and how they can opt out. Secure data via measures like data encryption.
On the marketing side, make sure you have consent via opt-in or double opt-in before contacting your prospects or leads. Don’t record calls without consent. Update the sign up forms on your website or mobile app, and delete your logs after a specified time period.
Sign Data Protection Agreements with your vendors, maintain Article 30 processing records and evaluate if you need to appoint an EU representative or a Data Protection Officer.
Certify
The EU data protection authority will eventually set up an accreditation mechanism — similar to getting your company Privacy Shield or ISO 27001 certified. There’s nothing out there right now — so don’t listen to any firm pitching you their “exclusive GDPR compliance program”. Give it a few months for the regulations to be in force, wait for the noise to settle down, then take a call.
There’s much more to do, but that’s essentially GDPR compliance in a nutshell. Feel free to post any specific questions you have in the comments section, and I will do a follow up post to answer all of them.
About me: I am the co-founder of Legitiv, a start-up in the compliance domain.