- Increase Awareness of GDPR Within Your Team
Education should start at the top and filter down in order to gain stakeholder buy-in. Remember that business unit stakeholders don’t need to understand all the subtle nuances of GDPR, but they do need to have a general grasp of the terminology, required controls and desired outcomes.
- Appoint your GDPR data privacy Champions
In accordance with GDPR requirements, a Data Protection Officer (DPO) may need to be formally appointed for your organisation. Irrespective of whether or not this is the case, the appointments shouldn’t stop there. Your organisation should have a GDPR Data Privacy Champion with each line of business. The Data Privacy Champion appointed for your department will need to work with the appointed DPO, PMP team members and other key GDPR stakeholders to ensure organisational harmony and cohesiveness in terms of GDPR compliance activities.
- Get to Know the Personal Data Elements Under Your Control
Whether you’re in Marketing, Customer Services, Sales, HR, procurement or one of the other divisions within your organisation, where GDPR will be a focal point, you should immediately start identifying all the personal data relating to EU citizens that is under your control.
- Catalogue Your Personal Data Processing Activities
GDPR-compliant personal data processing procedures can be implemented centrally or departmentally. There are no hard and fast rules, but you can’t create procedures until you understand how you and your department processes the personal data that’s under your control. You must also understand the context of that processing as it relates to lawfulness of processing in accordance with the GDPR.
- Engage Your legal, Compliance, and Information Security Teams
This almost goes without saying. Since GDPR is a regulatory mandate, your legal, compliance and information security teams should be deeply involved from the outset. They should already be working with senior business stakeholders and the DPO to ensure organisational buy-in and be engaged with IT in relation to personal data discovery and safeguards. It’s important that you engage with these teams to ensure that you fully understand what’s expected from you from a departmental perspective.
- Review Your Consent Requests and Transparency Notifications
Make sure you identify how your part of the business is currently obtaining consent and providing notifications of processing. Review your personal data collection processes and the wording of your existing privacy notices with our legal team.
- Identify and Educate Your Personal Data Handlers
Once the senior stakeholder buy in is in place, you should start engaging and educating those employees within your area of business that handle or process personal data as part of their everyday responsibilities. Consider eLearning as an efficient and effective means of achieving this.
- Plan for Privacy Breach Identification and Response
To provide a breach notification as per GDPR, you need to actually know that a breach has occurred. That sounds straightforward and maybe even common sense but knowing that a breach has occurred can be challenging.
To help determine whether you know what’s happening with the personal data under your control, here are some questions you and those in your department should be asking:
- How do we know if personal data has been accessed by unauthorised personnel?
- Do we have any personal data stored in the form of unstructured data, such as word documents?
- How are we managing the flow of personal data in and out of our department?
- Are we accounting for the transfer of personal data across email and cloud application?
- Update Your Procedures for Data Subject Request Handling
If your customers (i.e Data Subjects) are not already asking for the data you store and process about them today, it’s very likely they will be once GDPR is fully in effect.
You should have well defined, consistent processes and procedures for handling requests related to the Data Subject rights covered by GDPR. Ideally, to streamline operations and maximise accountability, these processes should be the same across your various lines of business.
- Identify and Assess and External Data Processing Activities
Lastly, start documenting any third-party data processing services leveraged by your department. Do you use third parties to consolidate your marketing data and manage mailing lists, for instance? Make sure that you’re considering all potential third-party data processing scenarios.
If you are looking for guidance on how to streamline your GDPR project or are unsure if your business is on the right track to compliancy, click here to find out how MetaCompliance can help.