Understanding the General Data Protection Regulation (GDPR) is just the beginning if you want to meet the May deadline—having a GDPR compliance checklist is critical. By regulatory standards, GDPR is a heavy read, even if you’ve dealt with other compliance legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA). But once you’ve wrapped your head around the pending European privacy legislation that’s driven by citizenship, not geographic borders, you’ll need to do the legwork that will ensure you can pass a GDPR audit with flying colours.
As with any large IT or business process reengineering project, the challenge is getting started, and the key to gaining momentum is knowing what needs to be done. By taking it one task at a time, you’ll make headway slowly but surely. The good news is there’s no shortage of third-party consultants and software vendors eager to help you—it’s always valuable to have an outsider look at your policies, procedures, and technologies—and there are concrete steps you can follow in the short term to meet the stringent standards of a GDPR audit.
Consult existing polices
If you like developing internal policies, GDPR will be your jam, because there’s a lot you’ll need to put in place. These are high-level documents that set principles and differ from procedures, which lay out what, when, and how things should be done. For those who aren’t policy wonks, there’s a good chance some of the needed policies are already in place due to existing privacy legislation, so they may merely need a tweak. Here’s where you should start:
- Data protection policy: This reflects that you’re gathering and using certain information about customers, suppliers, partners, employees, and other business relationships you may need to contact. It outlines how personal data must be collected, handled, and stored to remain compliant with the law.
- Training policy: If you don’t have one already, create a policy outlining how you will prepare your employees to stay compliant with GDPR. It may highlight certain roles and departments based on their interaction with personal data, address new employee onboarding, and identify any necessary certifications or special education required.
- Information security policy: Regardless of GDPR, organizations should have effective cybersecurity and data protection controls, but you should review and update your policies to reflect specific aspects of the new legislation and those of the organization. You must define security objectives, data assets, and guidelines governing your employees’ behaviour—you must address the human factor, because employees strongly influence your security posture and ongoing data protection.
Fine-tune your processes
Privacy legislation isn’t new and should be able to adapt to GDPR, but the differences may mean revising your business model. You need to update procedures in a manner that doesn’t disrupt operations and lead to downtime. Among the procedures you’ll need to update or introduce:
- Data Protection Impact Assessment (DPIA): A DPIA is mandatory under GDPR and used to identify and mitigate any data protection-related risks. It’s not a one-time thing, either. You’ll need to do one whenever you start a new initiative that might affect information you collect and retain.
- Retention of records: Regulated industries, such as healthcare and finance, already require robust records management, and most organizations that have a document management system can audit usage of records and files, if necessary. Under GDPR, the scope of a retention is far-reaching, so you need a framework for employees to manage information across its lifecycle, whether it’s digital or physical.
- Data portability: Data portability is the ability to export data to someone else. GDPR requires your systems, connected products, applications, and devices to port and transmit data into commonly used, machine-readable format. For the data subject, such as a customer, they now have the right to exercise more control over their own data, as well as receive any personal data concerning themselves. On a related note, you need an international data transfer procedure, as GDPR distinguishes between countries outside the European Economic Area that have sufficient protection for personal data and “non-adequate” countries that don’t.
- Subject access request: Since data subjects, including customers and employees, have the right to find out how you are processing their data, you must have a method of handling a subject access request (SAR). You must also be able to respond to an SAR in a prompt and adequate manner, detailing personal data processed, the purposes for which the personal data has been processed, and who the personal data has been disclosed to.
- Complaints: Data subjects can also complain if they feel their data has been improperly processed, used, or breached. You should have a policy encouraging them to come to you first and a process to investigate the complaint. If you want to ensure transparency and accountability as part of your GDPR compliance checklist, you should be up front with data subjects about your complaints process.
Spread the word
It’s not enough to simply comply with GDPR. You must let everyone know: Your privacy notices must be reviewed and updated to comply with GDPR and communicated with anyone affected. It also means you must reconfirm consent. When you first collected personal data from customers, for example, you needed to be clear about your identity and how you planned to use their information when you first engaged them.
GDPR means there’s more you have to say. You must outline your lawful basis for processing the data, how long you’re going to retain that data, and let people know they can withdraw permission at any time—and how. Another key part of GDPR is breach notification—include it in your communications procedures.
Let security follow your data
Technology isn’t the silver bullet for passing a GDPR audit, but implementing the right information security infrastructure should be on your GDPR compliance checklist. Since the legislation requires you to embed privacy into how you do business, it makes sense to look at security the same way. First, however, you need to understand where your data flows, so having a comprehensive a penetration testing methodology is essential. It’s more than just plugging holes in your network. You need to test devices, applications—web-based and on-premise—procedures, and even physical access to your facility.
You also likely have many endpoints within your environment and connected to it, thanks to remote workers and the Internet of Things. Where possible, take advantage of any built-in security features, even those on your printers, as they are all potential access points that can lead to a breach of data and GDPR compliance if overlooked.
You may be tired of hearing about everything you need to do to pass a GDPR audit, but there’s a lot to get done. Unlike the Millennium bug, meeting the deadline is not just about technology upgrades—it’s policy and procedure driven. Understanding that will position you well when it comes to compliance, as well as establishing the new normal of putting the privacy of citizens first.
Missed our first segment about GDPR? Check it out here: “Be ready to play the long game when preparing for GDPR,” and learn how you can stay in line with shifting data regulations beyond GDPR with, “Keep pace with the evolving, far-reaching impact of GDPR.” For more IT security insights from Tektonika, click subscribe at the top of the page.