When it comes to managing Personally Identifiable Information (PII) and other sensitive data, new obligations under the General Data Protection Regulation (GDPR) may apply to your organization.
You may have gaps between your existing levels of compliance versus the new standard required under GDPR.
What should you do?
GDPR replaces the European Union (EU) Safe Harbor Directive and will be directly applicable in all EU Member States without the need for implementing national legislation. GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the EU. It becomes effective May 25, 2018.
To prepare for GDPR, organizations that will be impacted must take a hard look at their information management and information governance best practiceswith data protection laws and rights in mind as a means for scruitinizing their internal practices against compliance and security protocols.
The following key areas are a useful starting point for many organizations:
- Security Breach Preparation
- Governance & Accountability
- Designed-In Privacy
- Purpose-based Data Use Consent
- Policy Transparency
- Data Subject Rights
- Data Processing Requirements
- International Data Transfers
All of these component areas must be meticulously evaluated, with processes reviewed for strict compliance and accountability as the GDPR comes armed with measures for significant sanctions.
When it comes to preparing for GDPR, organizations are in need of an objective, third party assessment of their existing and planned data security and privacy controls as part of their Records and Information Management (RIM) program in order to understand existing gaps between the current and desired future state, whereby internal and external compliance is achieved and benefits are delivered. Key activities and outcomes desired for a GDPR readiness assessment include assessment of existing current state corporate records and information management components.
A GDPR readiness assessment is a review of existing, current state corporate records and information management program components
There are four key stages to a GDPR readiness assessment.
- Planning & Management: Establish parameters, scope, and fields for critical data mapping. Determine key stakeholders, goals and dates. Schedule interviews and workshops.
- Information Gathering: Develop interview prep materials and distribute. Develop, schedule and execute interviews. Identify policies, procedures, contract templates and existing inventories of systems that are managed. Collate data from stakeholders about data repositories that are used to generate, manage and archive data with their environment and also with third-party entities.
- Develop Current State Overview & Generate or Refresh a Data Inventory: Define the data inventory templates and system criteria. Validate templates and finalize the data inventory template, making sure to update it with discoveries from the gathering phase so that data repositories for both structured and unstructured data are tagged with retention, privacy, security and other required classification characteristics. Generate a current state overview in alignment across people, processes, technology and specific privacy requirements driven by GDPR
- Define Future State Roadmap & Implementation Plan Next Steps: Finalize the data map based on the discoveries from the Information Gathering phase & Validate. Summarize and report both the current and future states. Define Next Steps in a roadmap and implementation plan to close specific GDPR gaps and mitigate risks, particularly from a data privacy perspective. Collaborate with stakeholders to make last-minute adjustments and incorporate analysis and findings.
Getting Prepared Today
The chief goal in getting prepared for the emergence of GDPR is to assure that your organization has the proper controls in place to secure, manage and protect information according to both its risk and value to the organization.
In addition it is to assure that PII and other sensitive personal information may be treated as necessary upon formal request and in line with the GDPR. The steps that help reach these goals include a detailed risk assessment that culminates in the development of an information governance-based future state roadmap and implementation plan alongside a data inventory map to position your enterprise for the impending regulatory requirements.
Effectively preparing for GDPR enables organizations to ensure transparent, good faith operations for the governance, use, preservation, retention and disposition of information.
Organizations can reduce overall information management costs and reduce risk through an effective GDPR readiness program. Is preparing for GDPR on your agenda for 2017? Got a GDPR preparation question? Let us know in our Leave a Comment section below!