The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25th May 2018, with significant fines for non-compliance. It impacts any organization in the EU and organizations outside the EU who sell, market to or monitor EU individuals.
With time running out, here are some minimum items you should have in place by the deadline:
Review your Privacy Governance Model in light of GDPR. For example, evaluate whether or not a data protection officer needs to be appointed, and ensure that you have appropriate policies and procedures in place. You should evaluate whether or not a data
protection officer needs to be appointed, ensure your firm has the appropriate policies and procedures in place, and make sure that all relevant trainings are carried out.
2. DATA SUBJECT RIGHTS
Identify and locate all of the personal data you hold. Be able to provide data portability to individuals who request it, erase data as part of the 'right to be forgotten,' and consider all the different conditions that apply to these rights.
3. CONTRACTS WITH VENDORS AND CUSTOMERS
Review all of your organization’s contracts where personal data are processed, especially contracts where personal data is transferred outside the EEA. Prioritise the list and work your way through, ensuring the contracts include new GDPR-compliant wording,
and auditing vendors to ensure they are complying with GDPR.
4. DATA RETENTION
Review the personal data you are storing and purge the data that you no longer need to retain for a legal or other obligations. It’s recommended to also purge all unnecessary personal data as inexpensive storage has led many organizations to retaining gratuitous
5. SECURITY AND BREACH REPORTING
Review your information security practices and make sure you have a Personal Data Breach Response Plan in place. Be ready to notify regulators (within 72 hours) and individuals (without undue delay) if required. Consider a review of your insurance cover
to see if it needs to be amended in light of the higher fines and penalties under GDPR, and whether it provides help in breach situations.
At a minimum, you’ll need to complete a gap analysis, develop a remediation plan, and begin its execution as quickly as possible. This progress should be documented in full and ready to share with stakeholders, regulators and auditors. Be aware that GDPR
requirements are much broader than the 5 points above and have nuances depending on the firm. Even after acting on the 5 essential items above, firms must continue to work on their GDPR compliance.