Your first steps to GDPR compliance
The biggest obstacle while dealing with a problem is to figure out where to start. Considering GDPR comes with an exorbitant penalty, it is worrisome for the companies and therefore there is a level of urgency associated with the solution. Companies have now had over six months to meet the new standards, but in spite of this, industry experts have stated that many companies still aren’t prepared to cope with GDPR. The answer to the question, what should be the first step varies depending on the company’s size, nature of the business, etc. One approach does not fit all. For instance, a pharmaceutical company processing the medical data of thousands of people will be at a higher risk compared to a small company manufacturing cloth. The size of a company is another factor that affects the approach that one might take to mitigate risk. However, there are some basic approaches that can be considered by everyone.
The key thing for a company or a data controller to do is to know all the areas where it might be vulnerable. This means a company needs to know all about the data that it is processing.
Sounds rather simple, doesn’t it? Well, it’s a little tricky. You see, the bigger the company, the harder it will be for it to collate and classify all the data. Have you ever been in a situation where your boss might have called you to his office with a case brief which you can’t find because your desk is a huge mess? You are sure you have it somewhere in the huge pile of paperwork but when it is required, you just can’t seem to find it. It is at that moment that you realise the importance of organisation. Well, that’s how the data that a company processes might be scattered around its ecosystem. Therefore, as a data controller, a company would require an inventory so that it has access to all the data belonging to various people or data subjects that it might be dealing with.
Assuming you are a company that is governed by GDPR, to be compliant with the regulation, it is imperative that the company gets a baseline of its operations. It needs to know what kind of data is it collecting. How is such data being collected? How is such data being stored? Can it pull out a particular data subject’s record on request? Has it sought consent for using data? Where is the consent recorded? and so on. This is a key step that many GDPR experts have advocated while discussing how a company might prepare for GDPR.
To be able to effectively answer these questions, a company needs to take certain steps operationally, technically and legally. On the operational front, a company should set up a team of individuals whose main task would be to create an inventory categorising all the data that the company might be processing. These individuals need to be trained and made aware of the regulation. A compliance checklist should be provided to these individuals so as to facilitate them to effectively ensure compliance with GDPR. This process may be effective for a small business that is processing lesser data. However, for a bigger company, which processes a large amount of data of various individuals, it becomes difficult to attain high levels of efficiency by manual operation alone. To ensure efficiency, a company would require some sort of software or technical tool.
As we had dealt in our previous article, the only way that a company may save itself from the penalty in case of a breach would be to prove beyond reasonable doubt that it took all necessary precautions to avoid such a data breach. Now if a company which processes the data of say 50000 individuals had a team of 20 people to assure GDPR compliance somehow had a data breach, it would have a tough time trying to prove that it had taken reasonable measures to be GDPR compliant. It is therefore advisable that the bigger companies that are processing large amounts of data should invest in a software that facilitates GDPR compliance. A good software should be able to pin-point the areas where a company might be at risk. It not only speeds up the process of making an inventory but also helps respond to any requests or complaints that come from a data subject in a timely fashion. Further, the level of efficiency would be much higher with a GDPR compliance tool and in the long run it is a lot more cost effective than employing and training a team of individuals to manually ensure GDPR compliance.
On the legal front, a company should appoint a Data Protection Officer who will be responsible for ensuring GDPR compliance. A Data Protection Officer should take proper responsibility for data protection compliance and have the knowledge, support and authority to do so effectively. This relatively new personnel role is tasked with much of the heavy lifting in terms of making sure an entity is compliant. Companies in the European Union member states are required to have one. In case a company is too small to justify the cost, it should consider contracting someone with a legal background and GDPR specialisation to advise it. The details of the Data Protection Officer should be provided to the data subjects. Any complaints regarding breach of personal data to the Data Protection Officer should be resolved effectively and in a timely fashion.
Well, it is clear that all this might be a little overwhelming but at least now you know where to start and that brings you one step closer to the solution.