What to do if you missed the GDPR deadlinePost GDPR Deadline Guide: What to do after the 2018 deadline
Five steps to take after the GDPR deadline and how to become compliant
It is OK if you are not completely GDPR compliant after the May 25th deadline. In fact, Gartner predicts that by the end of 2018, half of all businesses affected by GDPR will not be fully compliant with its requirements. Bart
Also implementing a Data Protection Officer (DPO) is crucial. Whether you decide to do it in-
Gartner recommends organizations focus on five high-priority changes to help them get up to speed with GDPR requirements.
- Determine Your Role Under the GDPR
Any organization that decides on why and how personal data is processed is essentially a “data controller.” The GDPR applies
Five questions to find out if your organization falls under GDPR
- Appoint a Data Protection Officer
A data protection officer (DPO) is a security position tasked with ensuring that data management and handling are compliant with the European Union’s General Data Protection Regulations (GDPR). Most organizations must appoint a data protection officer (DPO) to be GDPR compliant. Simply appointing a DPO will reduce the scrutiny the EU regulations will place on your organization. You can appoint a DPO in-house or by using a third-party company (DPO as a service.) This not only helps with GDPR compliance, but will likely result in avoiding a hefty non-compliance fine, and improve your company’s overall security. The recent influx of data breaches from cyber attacks shows the importance of having a DPO. By adding this extra level of security, some large
- All data activities must have a well defined and clearly understood process of operation going forward.
Very few organizations have identified every single process where personal data is involved. Access privileges, data quality, and data relevance should be decided on when starting a new processing activity. This includes all areas on your website were form fills or tracking resides (such as google analytics, mail chimp, etc.). Organizations must demonstrate an accountability and transparency in all decisions regarding personal data processing activities moving forward. Third party companies must also comply with requirements that can impact the personal data and processes in use. It is important to note that accountability under the GDPR requires proper consent during acquisition and registration from the user. Pre-checked boxes and implied consent are no longer acceptable forms of “Opting-in”. A clear and expressed action to obtain and use personal data of the subject is needed with the option to withdraw. If you need help designing such a procedure you can reach out to MDS for more information via email.
- DContPost Data-breach policy.
All organizations must report certain types of personal data breaches to the relevant supervisory authority. They must do this within 72 hours of becoming aware of the breach, where feasible. If the breach affects individuals’ personal data as well as rights and freedoms, you must also inform those individuals without undue delay. Organizations should have breach detection, investigation and internal reporting procedures in place as well as keep a record of any personal data breaches, regardless of whether they are required to notify. These are the aspects of GDPR that can accrue penalties and fines. One thing that people everywhere now know about the GDPR it’s that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global) turnover, whichever of both is highest. This is where most
Prepare for GDPR Compliance Today
- Prepare for Data Subjects Exercising Their Rights
Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed in the event of a data breach. If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls. Similar to the “opt-in” requirements for your website and email lists, you want to then give your data subjects the opportunity to “opt-out” of all communications. The data subjects should also have the ability to completely be erased from your database. This “Right to be Forgotten” is to protect the data subject in the event of a data leak, as well as give the data subject control over their personal information and how it is being used. If you complete these five steps you will be way ahead of the game when it comes to GDPR compliance. Please don’t hesitate to reach out to us for any help along your compliance journey.