It seems like just the other day that organisations were making their last-minute plans to comply with the GDPR (General Data Protection Regulation), but it was nearly seven months ago. In that time, the public’s attitude has largely gone from panic to indifference, with commenters quick to point out the lack of penalties that have been issued.
The first GDPR fine was levied in Austria in October, and German chat app Knuddels became the second organisation to be punished in November. But that’s been it, as far as significant punishments have gone.
Sceptics have used this as evidence that the GDPR was blown out of proportion. But it would be foolish to have expected the Regulation to have major effects instantly.
Granted, most people didn’t expect it to take this long, but the problem has partly been that regulators have struggled with the ramifications of the GDPR just as much as the organisations within its scope. Supervisory authorities have been deluged with complaints and queries, and it’s taken them time to get through them all.
But according to European Data Protection Supervisor Giovanni Buttarelli, supervisory authorities are now on top of their work, and there should be an increase in action soon.
It’s not too late to comply
GDPR compliance is an ongoing process, and there’s still time for organisations that haven’t yet met the Regulation’s requirements. But it’s just as important to remember that anyone who is currently compliant can’t sit back and consider it ‘mission accomplished’.
Things change quickly in business. You might launch a campaign that requires you to collect new sets of personal data, you might change the way you store that data, or a vulnerability might be discovered in your networks that need to be patched. Whenever something changes, you must make sure your compliance posture changes with it.
That’s why the Regulation instructs organisations to demonstrate their compliance. This means documenting processes and procedures, and regularly checking them to make sure they’re still adequate.
How IT Governance can help
Our GDPR compliance checklist explains the essential steps you must take to demonstrate compliance.
- Establish an accountability and governance framework
- Scope and plan your project
- Conduct a data inventory and data flow audit
- Conduct a detailed gap analysis
- Develop operational policies, procedures and processes
- Secure personal data through procedural and technical measures
- Monitor and audit compliance
For each step, we provide tips for meeting your requirements and suggest products and services that can help.