Enforcement of the General Data Protection Regulation (GDPR) begins May 25. While many are in compliance, others are struggling to meet the deadline, and more still don’t even know where to begin. Here are some questions that company officers can ask their data privacy/security leaders.
- Does GDPR apply to our organization?
This may seem obvious, but many organizations believe that GDPR does not apply because they are headquartered in the US. This however, is a grave misconception. It is important to remember that GDPR applies to any company that targets, processes or controls personal data of EU residents.
- Does GDPR apply to all our data?
It is vital to understand what types of information are protected under GDPR. GDPR includes more types of data than previous directives, such as contact information data, biometric data, genetic data, IP addresses, and other privacy-related data. Our definitions of sensitive data need to be brought to a broader standard.
- Have we gone a thorough discovery of our 3rd party vendors and the data they collect?
Most enterprises’ primary focus is on the customer, partner and employee held data. Unfortunately for most organizations, this means overlooking an often-critical amount of data collection happening on the organization’s website and mobile apps. This can be a detrimental oversight because there can be tens to hundreds of 3rd party vendors executing code and collecting personal data about users. This can have a tremendous impact on personal privacy.
- Who in our organization is taking GDPR ownership?
GDPR compliance strategy is undoubtedly a team effort. However, someone within your organization needs to take ownership of GDPR. In certain circumstances, GDPR requires a Data Protection Officer (DPO), responsible for GDPR compliance strategy and solution implementation. It’s always a good practice to assign an owner to data privacy/protection in general. If not required under the specifications of GDPR (and many fall outside of this requirement), companies will want to steer clear of the formal DPO title to avoid unnecessary compliance requirements.
- How are we recording our data processing activities?
Article 30 of GDPR is Record of Processing Activities. This may seem like a low priority in terms of GDPR, but this article holds as much weight as the rest of them. A good first step is to inventory all applications on your network and reconcile all software titles that are a known GDPR risk due to the personal information they hold.
- How are we protecting our data in the cloud?
A common misconception is believing that MSPs or cloud providers are responsible for securing data in the cloud. They are invested in GDPR compliance, but your organization is responsible for all it’s data stored in the cloud. Relying on a 3rd party service provider is a recipe for disaster.
- Can we document our GDPR Compliance?
Part of GDPR is being able to demonstrate your compliance. Examples include: statements of the information you collect and process, and the purpose for processing and records of consent from data subjects. It’s a good idea to have a program outlined for compliance and be prepared to respond when asked.
These questions are a good start, but perhaps equally important is employing a trusted 3rd party expert to help guide you through this process. For more information, you can watch a replay of our Webinar on GDPR. Happy early GDPR enforcement day!