Now that we’ve crossed into 2018, the GDPR is only months away. Less than three months, in fact—the new EU General Data Protection Regulation becomes enforceable worldwide for any organization that processes or stores EU citizens’ personal data on May 25, 2018.
Good news is, you still have time to meet GDPR requirements in your organization. With nearly 12 weeks to go, businesses who must be compliant with the GDPR have some remaining wiggle room to tie up any loose ends and establish their compliance for May 25 and beyond.
RELATED READING: Understanding the GDPR (General Data Protection Regulation)
If you’re longing to finish preparations and avoid the hefty fines and penalties that come with non-compliance, we’ve got you covered. Use this GDPR readiness checklist to determine where you’re covered and what still needs doing before May.
Review official GDPR-documents, rules, notices, and other considerations.
Identify what sort of personal data you process and retain.
You may be processing more personal data than you think. We recommend locating what data you hold, documenting where it came from and who you share it with (e.g. 3rd parties), and using technological measures to render whatever data you keep unidentifiable.
Remove unnecessarily stored information.
Once you have a grasp on the type of data you process, perform an audit on your inventory. Are you storing any personal information unnecessarily? Determine which data should be removed and create a process for properly erasing it. This process is especially important for compliance with the GDPR’s “right to erasure.”
Create a responsibility framework.
This documentation of your organization chart will help you appoint a structure for governance over GDPR requirements. Appoint (or hire) employees to take on tasks, raise awareness of the regulation internally, and consider launching an GDPR training plan.
Appoint a Data Protection Officer (DPO).
Under certain circumstances, organizations will need to appoint a DPO. The GDPR requires the DPO to monitor for compliance with the regulation and advise an organization on their “obligations to comply with the GDPR and other data protection laws,” among other things. The DPO can be an existing employee or contractor. Learn more about DPOs on the ICO website.
Review your current policies and procedures.
Review and revise any current policies you have to ensure they align with any requirements you need to meet. Make sure these are easily accessible for employees who need to view them, and check back often to identify areas of improvement.
Integrate GDPR considerations into your processes and responsibilities.
Are there any existing risks in your day-to-day responsibilities that could keep you from being fully GDPR compliant? Identify vulnerabilities and address them, then take stock of your current processes. The way you handle them may need to change to ensure compliance.
Use appropriate technical and organizational measures to ensure and demonstrate compliance.
GDPR Article 24 specifies that “the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” Look to implement solutions that will help you delegate and monitor critical regulation needs, such as securing your file transfers and creating audit trails for policies and procedures.
Design and document a Data Breach and Incident Response Plan.
The GDPR requires organizations to notify citizens within 72 hours of data breach awareness. As this is a big change from other regulations and rules out there, take some time to design a Data Breach and Incident Response Plan. This GDPR data breach response presentation from Squire Patton Boggs is a good place to start.
Understand the penalties and fines applicable to those found non-compliant.
Penalties are strict for those who are found non-compliant with GDPR requirements. Fines range from €10M (or 2% of total worldwide turnover) to €20M (or 4% of total worldwide turnover), depending on the types of grievances committed.
This checklist is a great place to start your journey toward compliance, but it isn’t comprehensive. Review the official GDPR documentation to ensure your organization has met all applicable requirements.
GoAnywhere Managed File Transfer (MFT) is a secure file transfer solution that can help you comply with 9 GDPR articles and their sub-components. These requirements range from collecting consent forms and performing integrity checks on successful transfers to ensuring your organization integrates proper security processes and audits all personal data.
Learn how you can achieve compliance with GoAnywhere MFT.