By now, you may have heard about the European Union General Data Protection Regulation (GDPR) that is rattling companies from technology titans like Facebook to small businesses with a website. In short, the GDPR is a legal framework that sets guidelines for the collection and processing of personal data of individuals residing in the EU. The new policies set by GDPR and the ePrivacy Regulation are some of the most significant changes in data privacy regulations in 20 years and will dramatically change how organizations worldwide collect and process data.
If your organization works with data on EU residents, you will be required to comply with GDPR once the regulation goes into effect on May 25, 2018. Non-complying organizations may be faced with fines of up to 20 million Euros or 4 percent of total yearly revenue per incident.
The main purpose of this historic regulation is that GDPR grants consumers and individuals a range of data subject rights. With significant data breaches and other data scandals such as Cambridge Analytica, Equifax, and, most recently, MyFitnessPal, continuing to make headlines, organizations are being pressured to treat data privacy as a right.
GDPR will have strongly affect how your organization processes data, regardless of which side of the Atlantic you are on. By complying with GDPR, your organization shows that you prioritize your members’ and users’ trust.
Ten Steps to Embracing Privacy by Design at Your Organization
1. Educate your staff, and get buy-in from your top stakeholders.
Don’t be mistaken — GDPR is not solely an IT issue . Whether they work in accounting, membership, or government relations, your staff handles a great deal of data.
Educate your staff on personal and sensitive data , and have everyone, from your leadership team to your boots-on-the-ground staff members, make privacy compliance and data governance a priority in your organization. Privacy by design and default is a key part of data protection. Make it a point to regularly discuss data protection at senior management meetings to maintain staff awareness.
2. Appoint someone on your staff to be the Data Protection Officer (DPO).
While your organization might not be legally required by the GDPR to appoint a DPO, we recommend having someone — or even better, a group of staff members — in your organization to be your internal advocates for data protection.
These people should be well-versed enough in your organizational structure and IT infrastructure to help internal staff understand data protection as it relates to a staff member’s tasks and goals. They should also maintain records of data processing activities, and lead regular audits to ensure privacy compliance and proactively address potential issues.
3. Comprehensively assess your data.
One of the best ways to prepare for your transition to privacy by design and solid data governance is to understand your organization’s data inside and out.
The more honest, transparent, and comprehensive your data audit is, the easier it will be to identify ways to change your business process to ensure GDPR compliance.
When reviewing your organization’s data, think of the 5 W’s:
- Whose data is being collected, processed, and stored?
- What data is being collected, processed, and stored? Of the data you collect and process, what is personal and what is sensitive?
- Where is data being collected, processed, and stored? Remember: Excel workbooks also count!
- When is data collected, processed, and stored?
- Why is data being collected, processed, and stored?