Compliance. It isn’t a pretty word. But if your organization isn’t GDPR-compliant by May 25, 2018, the ramifications could get very ugly.
With a little over a few weeks to go until GDPR graduates from proposal to regulation, the deadline for compliance edges ever closer. The consequence of non-observance is severe with financial penalties, bans on data processing and immense reputational damage lying in wait for those organizations who don’t plan correctly.
And what’s more, even if your compliance procedures and processes are watertight, are your sure your supply chains are? It’s critical you audit any third parties who process your data as all it takes is for one lax data processing partner to drag you down.
With that in mind, we’ve created a handy checklist to help you recognize where you stand and what, if anything, you might still have to do.
1) The Audit
This should be top of anyone’s list, regardless of your type of business. The first step to GDPR compliance is understanding what kind of data you hold. How did you source it? What is it used for? Who has access to it? These are all questions you need to ask. And now.
3) Data Protection Officer
Have you appointed a Data Protection Officer (DPO) yet? If you’re a public authority, then a DPO is a requisite ahead of GDPR. And even if you’re not, it’s wise to appoint somebody to be responsible for your data collection policies and procedures. Without this figurehead, your data ship will sail without a captain.
4) Request processes
Being prepared for GDPR means having the processes in place after GDPR lands. You need to make sure you have the right procedures in place to deal with any requests for the data you hold on individuals. Also, be prepared to be asked to delete data. If that’s news to you, then it’s time to map that process.
5) Data breaches
How organizations react to data breaches is another GDPR game-changer. Applied to both accidental and deliberate breaches, data breaches must be reported, in almost all cases, to the Information Commissioner’s Office (ICO) within 72 hours. Are you set up to spot a breach and report within that timeframe?
6) International requirements
If you’re a business who participate in cross-border data processing, then you’ll need to know who your data protection authority is. In the large majority of cases, this is where your EU HQ is based or where decisions about data processing take place. Plan ahead work out who you need to report to.
If you’d like more information about GDPR and the plans you need to put in place in order to ensure compliance visit our GDPR specific page: mapp.com/gdpr