Don't gamble with your company's investigation process.

Learn about i-Sight software today

GDPR Compliance: 23 Things You Need to do Right Now

Posted by Dawn Lomer on May 30th, 2018

Are you confident that you have done everything you need to do to comply with the General Data Protection Regulation (GDPR)? In a recent study, fewer than half of the companies represented were ready for the GDPR to come into effect on May 25th. The study also revealed that people are still confused about whether or not the regulation applies to them.

Does the GDPR Apply to My Company?

In a nutshell, the GDPR applies to any organization that processes the data of EU citizens, not just companies resident in the EU. Naturally, it applies directly to companies that are based in the EU, but it also applies to companies that offer services to, or collect, store or monitor the data of EU citizens, no matter where in the world the company is located.

This article outlines 23 steps to take towards GDPR compliance.

The General Data Protection Regulation (GDPR) comes into force on May 25th, 2018. It governs the way companies handle, store and transfer the personal data of EU citizens. But just because your company isn’t based in the EU, or doesn’t have any customers there, doesn’t mean you are off the hook.

A company may have personal information of EU citizens in its databases if it has a website that collects information on visitors. Even IP addresses are considered to be “personal information”. What about your marketing databases? Could they contain any names or email address of EU citizens? Do you have contractors or employees in the EU?

Quick overview of the GDPR:

The following 23 steps will put you on the road to GDPR compliance and a healthier and more robust data security environment.

1. Complete a data inventory.

The first step towards GDPR compliance is to understand what data your company collects, stores, processes and transfers. This is a great exercise for any company to carry out. It forces you to examine your business processes as they relate to data. By documenting what you do, why you do it and how, you can expose the areas where you can improve or simplify processes. Do you need to collect all the data that you collect? Are there better or more secure ways to collect and store it? By streamlining what you collect and how you collect it, you can reduce risk.

2. Determine where data is being stored.

Mapping out where all your personal data is stored allows you to assess its security and portability. Do you have a way to quickly access data when requested? Are there mechanisms to delete it or download it if a data subject requests it. If not, what mechanisms can be put in place without compromising security?

3. Raise awareness.

The GDPR is no small matter and non-compliance can cost your company up to 20 million Euros or four per cent of its annual global revenue, whichever is higher. It’s critical that all employees with access to personal data are aware of the requirements and understand what’s at stake. This starts with company culture that prioritizes good data governance. If your employees see data security as a top priority for the company, communicated through strong policies and procedures and reinforced through training and follow-up, GDPR compliance will be easier to achieve.

GDPR Compliance Checklist

Need a quick and easy guide to the GDPR? Download the free GDPR Compliance Checklist to keep track of the requirements for compliance.

Download the Checklist
Close-up of employees working together, following the code of conduct policy with good behaviors.

4. Get everyone on board.

Take a holistic approach to achieving compliance by involving as many stakeholders as necessary. This includes IT, privacy, marketing, legal, business processes, corporate security and the board. You’ll need to eliminate silos to ensure every part of the business that touches data is aware and participating in the process of achieving compliance.

5. Assess the current state of GDPR compliance.

It’s important to know the state of your company’s current data security processes in order to determine what needs to be done to achieve compliance. What security measures are already in place? Where do you keep data, and do you have mechanisms for ensuring deletion? Can you provide data subjects with their data? Conduct a gap analysis to compare what you have in place to what you need to have in place.

6. Identify the steps to compliance.

Make a list of the GDPR requirements that you don’t currently meet. These could involve network security, hardware, software, systems and processes, staffing and policies.

8. Determine the resources you’ll need.

You may need to bring in outside help to meet the privacy requirements of the GDPR.
Outsourcing could include:

  • security consultants
  • data privacy experts
  • lawyers/legal experts
  • communications advisors
  • other third-party experts

9. Create a GDPR compliance plan.

Ensure all stakeholders are involved in this process and share the plan with everyone who will be called upon to complete tasks as part of the compliance process.

10. Put staff in place.

Designate or hire a “Data Protection Officer” who will be responsible for seeing the compliance process through and will also bear the responsibility of continuous monitoring once the processes and policies are in place. Assess the need for other roles to implement and monitor the policies and processes related to ongoing compliance and hire or designate these as necessary.

Ethics Training

11. Train employees.

Ensure everyone who has a role in the new processes understands the importance of the regulation. Train all staff in the new procedures and policies. Document all training and have employees acknowledge the training by signing a training log or similar record.

12. Notify contacts and customers.

Let your customers and contacts (data subjects) know about the changes in your privacy policies and processes that you are implementing. Inform them of their rights under the GDPR and explain what they need to do if they would like to exercise those rights.

Examples of wording for informing customers and contacts of changes in privacy policies and processes.

 Example 1:

In order to keep you informed about how we use your personal data, we’ve updated the privacy policies for our websites. Please read our new policies, which will be effective starting May 25, 2018. Our updated privacy policies outline the following:

  • Why we collect your personal data and what we do with it
  • Legal grounds for processing personal data
  • Data privacy user rights and how to exercise them
  • How to contact us about data privacy

If you no longer wish to interact with us and would like to delete your personal data from our servers, please visit our data management portal.

Example 2:

Here at [company x] we value privacy and transparency, so we are writing to you to communicate some changes we’re making to our privacy policy and terms of use. These changes will be effective starting on May 15, 2018.

  • We have created a new privacy center to make it easy for you to find legal and privacy information.
  • We’ve added a new legal page to our website with information on how we handle personal information and data.
  • We’ve provided a detailed description of our security practices in simple language that everyone can understand. It explains how our customers can audit our security.
  • We’ve created a help center that explains how to exercise your data privacy rights and how to control the use of your personal information.
  • We’ve given you instructions on how to get our help for your data requests.We’ve also provided instructions for how to get our help to respond to data requests you might receive from third parties you contact using our services.
  • We’ve included information on how we use machine learning technology, cookies and other tracking technologies to personalize the information you receive from us.
  • We’ve outlined how we aggregate data to help us analyze trends and how that helps us provide better service to our customers and contacts.
  • We’ve also explained our collaboration with trusted partners to improve the quality of personal information we collect, to understand how data subjects interact with our site, and to determine what products and services interest our customers.

13. Apply data protection by design and by default.

This means that personal data must be processed with the highest privacy protection in place. For example, only the necessary personal data should be processed, it should not be stored for longer than necessary and it should not be accessible to anyone who doesn’t need it.

The European Commission website provides the following examples to illustrate:

Data protection by design

The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them).

Data protection by default

A social media platform should be encouraged to set users’ profile settings in the most privacy-friendly setting by, for example, limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of persons.

14. Put in mechanisms to obtain informed consent.

Ensure users on your website are actively consenting to having their data collected. This means that every form contains an opt-in that is not completed by default. In other words, if you have a check-box for users to consent to your collection of their email address or other personal data, it cannot be checked by default. The user must be required to check the box in order to consent to their data being collected.

15. Explain cookies.

Ensure website visitors understand your use of cookies, what they do and why your website uses them. Put in a mechanism to gather consent for your website’s use of cookies.

16. Empower data subjects to exercise their rights.

Create mechanisms for data subjects to easily request:

  • A copy of their data
  • Updates/changes to their data
  • Deletion of their data
  • Secure transfer of their data to a third party
Hostile work environment

17. Identify when DPIAs are needed.

According to the EU Commission website, a data protection impact assessments (DPIA) is required when processing of personal information is likely to result in high risk to the rights and freedoms of data subjects.

Find out how i-Sight case management software can help you conduct an effective DPIA. Book a Demo now.

The EU Commission website provides the following examples to illustrate situations when a DPIA may or may not be required:

DPIA required

A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients’ health data; a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behaviour.

DPIA not required

A doctor processing personal data of his patients. In that case, there is no need for a DPIA since the processing by the doctors isn’t done on a large scale in cases where the number of patients is limited.

18. Obtain and revalidate consent of data subjects.

Determine how you are going to get consent from existing data subjects. This usually takes the form of an email sent out to all contacts to gather their explicit consent. The request should be specific and simple. It should explain what you are collecting, why and how long you will keep it. It must include the name of your company and any third parties that interact with the data and it must inform data subjects that they may withdraw their consent at any time. Make sure you keep records of this consent and review this periodically.

19. Examine data transfer procedures and policies.

What is your process for managing personal data transfers? Do you use encryption? Where is data housed before and after transfer? Get IT involved to ensure you have a strong and compliant process for protecting cross-border transfers of personal data and that only the necessary data is being transferred.

information security

20. Plan for breaches.

Develop an action plan to implement in the event of a breach. Ensure you have adequate breach detection mechanisms in place and a process for investigating data breaches. Document a process for reporting breaches to the relevant supervisory authority as soon as possible and no later than 72 hours after the data controller is aware. Your breach notification plan should include training for staff at every level and workflow rules to ensure a compliant process is followed and no steps are missed.

Download the free cheat sheet 7 Steps to Address a Data Breach.

21. Consider implications for data subjects under age 16.

Implement a mechanism to ensure data subjects under 16 are identified and collection, storage and processing procedures comply with GDPR regulations for consent.

22. Document your GDPR compliance journey.

Keep detailed records of your progress toward GDPR compliance. This can be in the form of a data register, procedures documentation or other record of your efforts to comply with data protection regulations. This should include:

  • Results of your data inventory exercise
  • Data mapping activities
  • Awareness and training
  • Original compliance assessment
  • Resources brought in to help
  • Process used to notify and gain informed consent from data subjects
  • DPIAs undertaken

23. Implement continuous monitoring.

Once you have all your processes and policies in place and documented, you’ll need to check back at regular intervals to assess their performance. Set a schedule for auditing GDPR compliance, stick to it and document each audit.

Benefits of GDPR Compliance

This may seem like an awful lot of work, but the benefits – aside from avoiding huge fines – are many. Every company can benefit from taking an inventory of the personal data they collect, store and process. From a security standpoint, this provides an opportunity to review security processes and strengthen them. From a customer service perspective, the GDPR compliance process will reassure customers that your company takes their privacy seriously and help to gain their trust.

Dawn Lomer
Dawn Lomer

Manager of Communications

Dawn Lomer is the Manager of Communications at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.

Book A Demo

To our customers: We’ll never sell, distribute or reveal your email address to anyone. Privacy Policy

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.