We all know the EU’s General Data Protection Regulation (GDPR) is coming. With it comes the potential for multi-million dollar fines if your company handles the data of EU citizens or companies, but isn’t compliant.
With the help of Tim Bell, UK lawyer and GDPR expert with DPR Group, we’ve put together a list of what your company needs to do to prepare for the May 25, 2018 GDPR regulations.
How to Ensure Your Company is GDPR Compliant:
1. Appoint a Data Protection Officer (DPO)
If your company is a public authority, and its activities involve monitoring data of subjects on a large scale or involve the processing of sensitive data on a large scale – then you need a DPO under new GDPR rules.
2. Appoint a Data Protection Representative
If your company isn’t based in the EU and you do business there or handle the data of EU citizens, you need to have an EU-based rep for data-related information.
3. Conduct a data audit
Assess what you have, both physically and electronically. Delete data that is out of date, where adequate consent wasn’t obtained, or if the data is no longer relevant. If you’re destroying data, make sure it’s handled by a certified company, like TechReset. Not all data erasure companies are properly certified. Learn more about what to look for in your ITAD reporting.
4. Conduct a cyber-security audit
This type of audit should reveal the type and volume of data you possess and ensure that physical security is also adequate. Obtaining an ISO 27001 certification for the security of data management is a good idea.
5. Maintain proper documentation
Document your procedures for the handling and protection of privacy for the data you collect. Including through the end-of-life for your IT asset management. Ensure that all employees know and understand how the protection of data applies to them and is handled in your organization.
Be prepared for a “Data Event”
One more thing – in the case of a ‘data event’ you need to have a plan in place to handle it. This could be: subject access requests (when a person requests the data set you have on them), or when they submit a request to be forgotten (destroy my data please) or in the event there is a data breach.
Under the GDPR we must all ask about the data we’re collecting and how it’s going to be managed from the initial point of contact, right through to the end-of-life IT asset management when that equipment is disposed.