GDPR is a complex, wide-ranging set of rules most organizations doing business with Europe need to follow. It goes deeper than that. California and others are adopting rules identical to or close to GDPR.
While it seems like GDPR is a lot to tackle, with large fines if you fail, you can get started by hitting the top areas first. Here are ten steps to take – right now!
Your organization, and all relevant stakeholders, should be up to speed on GDPR rules – which are now over two years old. First thing to discover – do you fall under these rules? If so, all employees that touch sensitive data, and especially the IT department, should know these rules and how to follow them.
2. Find Out Where You Stand
Companies are in various states of GDPR compliance, ranging from none at all to complete adherence. Before embarking more deeply on your GDPR journey, find out where you stand right now. What are your policies and practices regarding data governance? Are they presented to the outside world in an open and transparent way?
If there is already data governance documentation, review this and use it as a starting point for further work. Under GDPR, this kind of documentation is mandatory. This is all part of a data protection assessment, which you can learn more about here.
3. What Data Do You Have?
Most every organization has at least some sensitive information, and chances are it needs protecting. IT should discover this information through a data audit, where it came from, where it resides, and who has access.
4. Posting Privacy Policies
5. Create or Fine-Tune Consent Procedures
6. Dealing with Subject Access Requests (SAR)
Under GDPR, any person who has data about them held in your organization can file a SAR, which means you must gather that data, provide it to them, and delete it if requested under the right to be forgotten rule.
7. Build GDPR Staff Include Data Protection Leads
Just as you need to educate all those who touch or process sensitive data, your IT and executive staff has their own responsibilities. A core decision is who has overall responsibility for data governance and compliance. At the same time, you need a point person to deal with regulatory authorities, who may or may not be the same person that manages governance.
8. Data Breach Reporting
Blocking data breaches and reporting those that break through your barriers are key parts of the GDPR rule set. You need to have processes to prevent, investigate, report and respond to breaches. Blocking breaches is a top priority as fines are assessed for successful incursions. Having processes related to breaches can mitigate the monetary damages if one occurs.
9. Know What Rights Data Subjects Have
GDPR is all about protecting data and giving the data subjects deep rights. These include the right of access, right to be informed; right to restrict processing; right to data portability; the right to object, the right to not be subject to automated decision-making including profiling; and the right to erasure (the right to be forgotten).
You must have a plan to adequately respond to any requests relating to any of these rights, including what systems are needed to respond and who is responsible.
10. Continually Update Your GDPR Compliance Plan
It is clear that shops facing GDPR compliance need a plan that includes best practices and policies. This is just the start. Regularly review the plan to insure it is current with your organization’s changes or modifications made to the regulations.
What CoreView’s CoreScan Can Do For You
CoreScan from CoreView is a great tool for identifying data that falls under compliance rules. With CoreScan, it only takes a few seconds to audit your company’s documents for Personally Identifiable Information (PII), and a few quick clicks to meet GDPR compliance. Here are other key benefits:
GDPR Compliance Is Simplified
CoreScan helps you find sensitive data so you can manage data risks and remain GDPR compliant.
File Scanning Is Lightning Fast
With CoreScan, you can look through thousands of documents for sensitive information in mere seconds.
Taking Action Is Easier
Whether you need to redact info or delete files, CoreScan makes it easy to locate issues and take action.
Prioritization Is Built-in
Risk scores help you prioritize a file’s threat level. Score more for credit card numbers, less for email addresses.
Reporting Is Fine-Grained
Scans can focus on particular folders, file types, PII and more, so reports show exactly where action is required.
Scan All Your On-Premises Documents
This on-premises GPDR software solution offers a comprehensive review of all key documents.
Finally, thanks to CoreScan, a company like yours saved $550,000 by reducing a Subject Access Request response time from 20 days with four employees — to under five minutes with just one employee.