These organizations need to implement an accelerated timeline to both understand how these new guidelines will impact themselves and their customers, as well as ensure standardized businesses processes, compliant with GDPR, are in place.
To get ahead of that May 25 deadline, here’s a month-by-month roadmap to ensure your team is ready.
December: Find Your Fearless Leader
By December 2017, a fundamental step for any organization is to identify who will champion compliance efforts. If your core business activities include the regular, systematic monitoring of individuals on a large scale, or the processing of special categories of data, GDPR requires the appointment of a data protection officer (DPO) to monitor, assess, and advise your business on compliance.
Even if your organization doesn’t fall under this category, a voluntary appointment of a data compliancy officer could greatly help your preparation efforts. It’s also important to establish an early relationship with your local data protection authorities (DPAs) responsible for policing GDPR regulations, who can provide additional insight on requirements and how the new policies will specifically impact your organization.
January: Get a Grip on Customer Rights
Per the European Commission, personal data includes a broad swath of identifiable data – public, private, or professional – including contact information, medical records, images, even IP addresses. The scope of this personal data is wide, and GDPR places the onus on businesses to centrally document and responsibly manage this information.
Transparency is at the core of this legislation and customers have a host of new rights in their pocket, including:
- Access: Data subjects can inquire about the use of their data, such as why their data is being processed and where it’s stored.
- Data Erasure: Otherwise known as the “right to be forgotten,” data subjects can request their personal data be cleared from databases if that information is no longer needed by the business.
- Informed Consent: No more carefully worded terms and conditions or cryptic legal documents; data subjects must be presented with clear, definitive forms to consent to data processing, and equally accessible paths to withdraw that consent.
February: Standardize Your Internal Policies
GDPR is going to hit home for everyone – marketing, support, finance, and legal – not just the IT departments tasked with the bulk of the data management burden. Establishing internal, cross-departmental policies around data retention, privacy settings, and information equips these different groups to properly handle requests from individual customers, businesses, and DPAs.
Standardizing these policies will enable your organization to operate more consistently and efficiently, while offering additional opportunities for automation – deleting outdated customer information, promptly scanning your network to handle erasure requests, and helping monitor and update your security components to protect information.
March: Prepare to Breach!
Well, for a breach. In the same arena as transparency, another requirement of GDPR is notification of a data breach within 72 hours of its discovery when malicious intent is suspected. This turnaround time is extremely short for internal forensics teams to access and diagnose a problem; thus, developing a standardized, detailed response plan with clear owners will aid in the event of a breach – a risk facing all IT service and cloud providers, regardless of how well managed their operation may be.
April: Audit Yourself
Give your team the month of April to test internal protocols and finish up overdue projects. Take this time to run through breach and audit scenarios, erasure requests, new support programs, and other changes your company has implemented over the past few months. Step back to work out kinks, establish owners, and even look to automate manual tasks where applicable. While it may take regulators and customers a few months to adjust to these new guidelines, readying your team on day one is the best way to ensure success.
Finally, legal departments should be front and center of the march towards compliance, helping the DPO (or equivalent GDPR representative) ensure these considerations are made in time. Internal or third-party counsel has the benefit of understanding the more granular details of GDPR regulations and can greatly aid other departments and business leadership in their preparations.
May: Adapt or Die