On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into effect, changing the way organisations handle personal data. The Regulation strengthens individuals’ rights concerning the way personal data is used, and requires that organisations take extra steps to make sure data remains secure.
The GDPR applies to any organisation that handles EU residents’ personal data. If that includes you, there are certain things you need to do as soon as possible.
- Establish a governance framework that covers board awareness, the risk register, the accountability framework and the review process.
- Appoint and train a data protection officer.
- Create a data inventory that identifies processors and any data that’s held unlawfully.
- Conduct a data flow audit.
- Perform a gap analysis to assess your compliance, making sure that your business processes are robust and in accordance with the Regulation.
- Conduct a data protection impact assessment and a security gap analysis.
- Complete remedial actions in line with your chosen framework (e.g. Cyber Essentials or ISO 27001).
- Create a data breach response process and then test it.
- Monitor, audit and continually improve each step.
With the enforcement date for the GDPR rapidly approaching, organisations not yet compliant will have to work fiercely across all areas to be ready in time. Some of these steps can be tackled simultaneously, but organisations need to be disciplined and make sure enough attention is paid to each part of the process.
Those who want to learn more about how they can comply with the Regulation should read our free green paper: EU General Data Protection Regulation – A Compliance Guide.
This guide provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation and the areas that organisations need to focus on.