7 steps for getting your organization GDPR-ready
While the EU has had long established data protection standards and rules, its regulators haven’t truly commanded compliance until now. Under the General Data Protection Regulation (GDPR), financial penalties for data protection violations are severe – €20 million (about $24.8 million USD) or 4 percent of annual global turnover (whichever is higher), to be exact.
What’s more is that GDPR does not merely apply to EU businesses, but any organization processing personal data of EU citizens, regardless of location. That said, organizations need to take real steps to improve how they collect and manage data.
At its core, GDPR compliance is about following sensible information management practices. However, oftentimes, business users do not follow their organization’s information governance policies, whether it’s because storing content in these platforms is tedious or simple ignorance of the rules. Compliance with the GDPR will therefore require practical steps which both improve employee awareness and the practices that make it more likely people will follow the rules.
But doing this is easier said than done, and business leaders need practical, actionable strategies that they can implement to meet the new requirements. Here are seven steps to help organizations improve data management and close the GDPR compliance gap.
1. Get explicit customer consent
From fitness apps to online checkouts and contracts, companies are collecting more consumer data than ever before. Under GDPR, be clear about what information you’re collecting and how it will be used, and have a legal document in place that clearly outlines both. Another option is to only collect data you need – if you don’t need to know a person’s ethnicity for a specific reason, consider eliminating those prompts on your website.
2. Centralize data storage
As far as possible, you should unify your central content repository. Aim to store all personal customer data in one environment, or connect on-premises and cloud deployments. If this is not possible, make sure that departments have one single space for storing data. Eliminate shadow IT and train all staff to be compliant with these practices.
3. Audit the information you have
One of the easiest ways to begin complying with the GDPR is to perform an audit of all the information you currently hold, and search for any personally identifiable information that may exist across your organization. Move what you want to keep to a central repository and delete the rest.
4. Make subject access information easy to find
As of May 2018, consumers will have the right to demand a ‘subject access request,’ in which companies must be able to provide them with a file containing all the information you hold on them. To be compliant, you will need to confidently collect data from all your systems about a specific customer, which may involve collecting data from multiple systems, so have the technology and processes in place to do so.
5. Security, security, security
Companies must store any data they collect via internal systems in a secure platform, so assess your current cybersecurity measures, make sure basic security procedures such as encryption and password protection are in place and then promote best security practices amongst members of your organization.
6. Implement accountable records management
Personal customer information that your staff receives must be recorded centrally, have permissions and metadata tags applied and be destroyed when no longer required. Don’t keep paper records, and implement strict, automated processes about how long you hold onto this information and when it’s no longer needed.
7. Honor customers’ right to be forgotten
The GDPR will allow consumers to demand that an organization deletes any data they hold on them. In order to honor this, be sure that all personal information is moved to this central environment so it can be easily and thoroughly removed.
Improved data management and information governance is good for everyone, but it’s becoming critical for GDPR compliance, and organizations that don’t get on board will end up paying both financially and legally. These seven steps will have you well on your way to revamping how your organization stores data and make for a more secure and organized business environment.