Other parts of this series:
Are you ready for GDPR?
You may think this is a strange question, given that the General Data Protection Regulation came into effect last year on 25 May.
However, in my previous post I made reference to Mark Schreiber, Co-Chair of Privacy and Security at McDermott Will & Emery, whose studies have led him to believe that half of all companies are still in the process of GDPR compliance.
When GDPR came into effect last year, you probably started your initiatives to comply with the data privacy laws. It’s been a year of getting your house in order, but how ready are you really for GDPR?
Take a moment to reflect on your business and your GDPR status, and answer the questions below as truthfully as you can:
Are you confident of complying with the following requirements of GDPR?
|Requirement||What it entails|
|Tighter restrictions around consent||Have you got the consent balance right so as not to scare off customers?|
|Appoint a data protection officer (DPO)||If you monitor on a large scale or process special data, have you appointed a DPO to oversee your process?|
|Report an incident to the supervisory authority||Have you reported an incident or a data breach within 72 hours of finding it?|
|Give an individual all of their personal data||Are you able to meet a person’s request for their personal data, including where it is, what format it is in, how to extract it, and how to port it?|
|Erase all of an individual’s personal data||If requested, are you able to find and erase all of a person’s data across the organization, including that which is with data processors?|
|Cover a wider definition of personal data||Data categories now include physical, physiological, economic, mental, genetic, cultural and social identity markers—can you process and control all of it?|
Where are you in your GDPR journey?
The GDPR compliance journey can be divided into five stages:
You understand the specific gaps and required activities by conducting a factual assessment. You are clear on the scope of your GDPR project and you have a prioritized set of activities that are traceable to legal requirements.
You understand the gaps and remediation steps and can use these requirements to create a structured GDPR program. You’re armed with an integrated program consisting of a high-level roadmap, details of the capabilities needed and a business case to move forward.
You can design and implement the minimum requirements defined in the starting scoping phase and you have documentation with a clear explanation of the activities undertaken, the delivery decision and outcomes achieved.
- Sustainably complying
You are armed with the processes and tools to sustain compliance.
You are able to realize strategic and operational opportunities from your efforts to comply with GDPR.
Are you able to supply a sufficient data access report if requested?
Have you ever tried requesting a data access report from an organization? Were you satisfied with the results? When an individual requests a data access report from your organization, will they be happy with what they receive?
In order to know whether or not your data access report adheres to the requirements of GDPR, you need to be able to answer the following questions:
- What does your data access report look like?
- How is it being generated? Is it automated or ‘piecemealed’ together?
- How long does it take—a day, a week, a month or more—to deliver the report?
- Is your report complete? Does it capture all of the required information?
- If not, how can you develop the capability to provide a compliant report?
How to know if you are GDPR-ready
There are many steps to GDPR readiness, but perhaps the most crucial checklist is whether you’re upholding data subjects’ rights while meeting your data controller or processor obligations:
|Data Subject Rights||Check (√)||Data controller or processor obligations||Check (√)|
|To be forgotten||To notify the data subject of all use and/or changes|
|To use data only with consent||To conduct impact assessments|
|Not to be profiled||To protect data transfers outside the European Economic Area (EEA)|
|To suspend data use||To consider applying encryption, pseudonyms, masking of data|
|Data portability||To enable privacy by design or default|
|To get an explanation of how data is used||To protect data against breaches|
|Data accuracy and remediation|
|To be erased and / or deleted|
In my next post, I will show you how to simplify your GDPR compliance journey. Until then, you can read these six practical steps to GDPR readiness or contact me here or on Twitter (@knott_nic) to discuss GDPR, to find out more about digital HR in financial services or to join us at the Change Directors Forum and People Innovation Forum in London.