6 steps to GDPR compliance

Here are six steps that your organisation should follow in order to stay compliant with the EU GDPR regulations

The General Data Protection Regulation (GDPR) — designed to protect EU citizens’ data — will become law. Its intent is to ensure that organisations are including “privacy by design” in their security strategies and make them more accountable to their customers. The introduction of GDPR in 2018 brought data protection to the top of businesses’ priority lists. So how can businesses ensure they are compliant and what steps do they need to take? Here are six steps to ensure success from the compliance process with GDPR.

1. Understand the GDPR legal framework

The first step to ensuring compliance is to understand the legislation in place, as well as the implications of not meeting the required standards, by doing a compliance audit against the GDPR legal framework.

Part of this compliance audit, no matter the size of the company, is hiring a data protection officer to explain the regulations and apply them to the business. It’s preferable that this person has a combined legal and technology background so they understand both the regulatory framework and the technical specifications needed to meet this. As each organisation is unique, the road to GDPR compliance will be different as well. Correct guidance from leaders within the business needs to be adapted to this.


GDPR: What do you need to know?What are the key areas organisations need to take into consideration when taking their first steps to implement GDPR?


2. Create recordings of processing activities

Once businesses have a clearer idea of their readiness to meet the regulatory requirements, they need to keep a record of the process.

The data “controller” — the person or entity responsible for determining the purposes and means of processing of data – needs to record details including:

  • name and contact details;
  • purposes of processing;
  • description of categories in which data resides;
  • categories of recipients “to whom the personal data have been or will be disclosed”.

Should a breach occur during the early stage of implementation, the business should be able to show the relevant authority its progress towards compliance through its diary.

Without any proof that the company has even started the process, a fine of up to €20m (approximately £18m) or 4 per cent of annual global turnover — whichever is greater — could be issued for a breach.


General Data Protection Regulation: the BC/DR impact — What is the business continuity and disaster recovery impact of GDPR on global businesses?


3. Classify your data

This step is all about understanding what data businesses need to protect and how that is being done. Businesses must firstly find any Personal Identifiable Information (PII) – information that can directly or indirectly identify somebody – of EU citizens. It’s important to identify where it is stored, who has access to it, who it is being shared with etc.

They can then determine which data is more vital to protect, based on its classification. This also means knowing who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.


GDPR: guide to complianceFind more on how to stay compliant, here.


4. Start with your top priority

Once the data has been identified, it’s important to start evaluating the data, including how it’s being produced and protected. With any data or application, the first priority should be to protect the user’s privacy. When looking at the most private data or applications, businesses should always ask if they really need that information and why. This data is always of most value to a hacker and hence has the highest risk of being breached.

Businesses should complete a Data Protection Impact Assessment (DPIA) of all security policies, evaluating data life cycles from origination to destruction points. It’s important to remember when doing this, of the rights of EU citizens, including data portability and restriction of processing. The “right to be forgotten” is one to consider as part of GDPR.

This is data third parties can use to identify someone must be deleted if requested and approved by the EU. It’s vital this data is correctly destroyed and can’t be accessed.

From here, companies should evaluate their data protection strategies – how exactly they are protecting the data (for example, with encryption, tokenisation or psuedonymisation). This must focus on the data they are producing, data which has been backed up – either on-site or on the cloud – and historical data that can be used for analytical purposes.

Businesses must ask themselves how they are anonymising this data to protect the privacy and identification of the citizens it relates to. Always keep in mind that data should be protected from the day it is collected, through to the day it is no longer needed and then it should be destroyed in the correct manner.


Change is coming: the GDPR stormHere’s how GDPR has shaken up the tech industry.


5. Assess and document additional risks and processes

Aside from the most sensitive data, the next stage is to assess and document other risks, with the goal of finding out where the business might be vulnerable during other processes.

As this is being done, it is vital businesses keep a roadmap document to show the relevant regulator how and when they are going to address these outstanding risks. It’s these actions that show the DPA that the business is taking compliance and data protection seriously.


Benchmarking global readiness for the GDPRHere’s how the regulation has been benchmarked globally.


Step six – revise and repeat

The last step is all about revising the outcome of the previous steps and remediating any potential fall out, amending and updating where necessary. Once this is complete, businesses must determine their next priorities and repeat the process from step four.

Security needs to be at the forefront of every new idea, plan and application for businesses moving forward. Companies can ill-afford any breaches.

Those that fail to show they have the right measures in place — or at least making efforts to — will face fines and undoubtedly a big hit to their reputation. In a year’s time, regulators will start to get the real picture of how seriously businesses are taking the security of their data — and the number of breaches really taking place.

Jan Smets is owner of security and privacy consultancy ITbrouwerij, formerly data security expert at Gemalto.

Related:

Information Age guide to data + privacyHere are strategies and tools to ensure you stay compliant.

Best GDPR compliance software for CTOsUsing software to automate GDPR compliance can save you time and money.

What are US companies’ view on GDPR? — Here is how companies in the United States have been examining the EU data regulations.

Related Topics

GDPR