The minimum you need to do before GDPR goes live: 4 stages to compliance
The minimum you need to do before GDPR goes live: 4 stages to compliance

The upcoming General Data Protection Regulation (GDPR) goes live on May 25, 2018. It gives control of information back to the individual while bestowing specific responsibilities that must be adhered to by controllers and processors


This regulation has global reach. It is a European Union regulation that affects and protects people who live in the EU, but if you're an organisation on the outside that collects data on EU individuals, it will impact you as well.


Of course, fines in the tens of thousands of pounds have already been levied because of breaches of the UK's Data Protection Act. Under GDPR, penalties are likely to be much more severe. Indeed, under the new regulation, the maximum fine could be as much as €20 million or four percent of global annual turnoverwhichever is higher.


The size of these potential fines has helped focus the attention of senior management within many organisations but there is still widespread uncertainty of what the real impact of GDPR is likely to be and how businesses can move forward over the long-term.


Scoping out the challenge


As GDPR approaches, organisations need to recognise that there are four stages to becoming compliant. First, prepare: Understand the situation along with what kind of data you have and how it's being used. Second is the production process: How you assure your processes comply and that you're doing what you need to do as you move forward. Third, governance: How you are watching and assuring that you remain vigilant in keeping compliant? Fourth, reporting: Putting reports in place so you can see what data and processes you have while also being ready in case authorities need to ask these questions.


That's the high-level view. Let's now delve in a little more detail into each of these areas, beginning with the preparation process. A good starting point is getting a handle on the data collected in the past along with what you do with it and whether you should have it. You need to understand what is currently in place before you can start making changes to move forward. There are some important questions to ask. What personal information is being stored? How did we obtain it? Do we have the correct consent for it? Why was it collected. What processing is being applied? Is unused information being stored? 


The production process is about compliance across the lifecycle. To remain compliant, you must show how you protect that data and use it only for the means for which it was collected. The individual can request any data you have on them, how you are using it, that you move it to another processor or have it erased. You need a means to respond to all those requests. That's where a robust content management system can really help.


The next stage is providing a means of assuring that you remain compliant. This is known as governance. It involves educating your own organisation so that they understand all the requirements of GDPR – but also watching – and assuring that you maintain compliance. Compliance is maintained when you as an organisation only collect the data you need, you have a lawful basis for using it, you gather consent for it as necessary; you maintain its quality and process requests to update the data, you track what data you have, and you delete it when no longer needed. Another important part of the governance process is to be ready for audit.


Data protection impact assessments are an ongoing way of assuring you are thinking about privacy and the protection of information when defining new processes. It is reported that 55 percent of businesses seem to be doing some level of impact analysis but the automation is not there. One way data intelligence products can help with this is by starting from the bottom. Your data can be mapped and viewed through a browser so you and anyone in the organisation with access rights can understand the entire process.


The final key stage is reporting. It's important to have reports for yourself and the organisation but also for audits. There are systems available which provide the ability to create a data inventory report of all your protected data and show where it is stored and how it is used. You can also make a data lineage report to show where the data comes from and how it is transformed and used throughout the organisation while also identifying unused data and having it removed.


Forward planning


So, in summary, GDPR is fast approaching. You can't afford to delay your plans to get ready for it. Begin the process of compliance as soon as possible. Even if your business is outside of the EU, the GDPR may affect you if your customers are within the EU. Fines for noncompliance can reach into the millions and will have a significant impact on your profits. As we have already highlighted, the four stages of complying with the GDPR are preparation, production, governance, and reporting.


Technology can help streamline this process of course. It's important to put data intelligence tools in place that will allow you not only to conduct an audit of the data you have collected in the past but also address compliance in the future.


Finally, this is about more than about just GDPR itself. Studies and surveys indicate that concern over privacy is at an all-time high. Businesses that comply with GDPR and clearly demonstrate that they have a privacy by design rather than by default approach in place will likely find their customers will reward them with repeat business, loyalty and trust.


Contributed by Rob Perry, vice president product management at ASG Technologies


*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.