The General Data Protection Regulation has many organizations concerned, and with good reason. Although the requirements don’t take effect until May 2018, they may be challenging to address. The first step is to gain a better understanding of them through our frequently asked questions.
- Where do we start to prepare for an audit? The first step is to determine what data you hold. Think about your HR files, client database(s), vendor records, etc. If you maintain any records that include information on citizens protected under GDPR, you need to document not only which systems, but also the data flow.
- Isn’t GDPR and IT department issue? While it’s true that many of the steps to prepare for GDPR will fall on your IT team, you will need to survey every department to be sure you are not missing any data being collected that IT may not be aware of. You will also want to understand how the data is being used by each department to help with question #4.
- What about our 3rd party vendors, will they need to be GDPR compliant as well? Once you map out your data flow, you will have an understanding of who has access to this data, both from the inside and any 3rd parties. You will then need to determine if the 3rd party access is necessary, and if so, that vendors with access are also meeting the requirements.
- What if we determine we can’t afford to meet the GDPR requirements? As with any expense, a business justification will need to be made. For example, if data from only one customer is in scope, is the income from the customer enough to justify the cost of meeting the requirements? Can you perform business functions without collecting data that is in scope? A GDPR gap assessment can help you to determine where you stand today, and what will be involved in meeting GDPR compliance in 2018.