person jumping in air with sneakers on fire
PHOTO: dan carlson

The time has come: the European Union’s General Data Protection Regulation (GDPR) will go into effect this week, on May 25, and all eyes are on EU regulators to determine how they’ll enforce the requirements.

For companies and end users waiting for an immediate influx of data subject access request emails or major enforcement actions, take a breath — unless you’re Google, Facebook or another tech giant, you can likely continue preparing for GDPR under the radar.

That said, it is critical that all organizations — regardless of size — continue their prep work. If your company is not currently ready to adhere to a GDPR compliance program, it’s essential to put your preparations in motion. For organizations that haven’t done anything to prepare for the regulations, now is the time to play catch-up.

A Risk-Based Approach Is Key

GDPR is an extremely complex regulation, but at its core, it’s a data protection law. This means the GDPR is all about safeguarding the information your company collects, creates, uses and shares, whether it’s collected from your employees, customers or third-party vendors. Because this information originates from so many different systems and locations, you must take a risk-based approach to data protection to best assess and mitigate your company’s top risks under GDPR.

The first thing to do is to take time to understand the nature of the personal data and information you hold. What kind of data and information does your company create and collect? How do you use it all? With whom do you share it?

Only after uncovering all of the data your organization holds will you be able to determine whether you use it and store it in ways that do not create risks for your customers, employees and third-party vendors. Once you have identified all of your data and determined how you use it, here are a few other steps you can take to best implement a risk-based approach to data protection across all programs and systems.

Related Article: Benchmarking Global GDPR Readiness Reveals Common Trends

Conduct Data Protection (Privacy) Impact Assessments

Companies should undertake privacy impact assessments (PIA) or data protection impact assessments (DPIA), which are systematic processes for assessing whether they create privacy risks for individuals because of the way they collect, use and disclose their personal data. DPIAs specifically help identify privacy risks and future problems; they can also help identify solutions.

While the GDPR mandates that organizations must conduct DPIAs in the case of high-risk processing activities, many companies already conduct PIAs as part of statutory or regulatory obligations. Other impact assessments, like security assessments, provide a good foundation for companies to evaluate the potential and ongoing risks that may affect their systems, allowing their privacy and data security teams to monitor and recommend appropriate controls when necessary.

By implementing a process to understand if and when DPIAs need to be conducted, organizations will be able to demonstrate accountability to regulators, thus moving closer to full GDPR compliance.

Related Article: Will There Still Be Marketing After GDPR?

Ensure Privacy and Security by Design and by Default

The GDPR requires privacy and security not only by design, but also “by default.” This means that operations that used to be considered “best practices” will now be mandated activities and will need to be operationally demonstrable. That’s why organizations must take steps toward establishing privacy as a foundational tenet in their strategies. With this in mind, privacy and data protection officers should partner with their IT and business colleagues to ensure that a standardized and repeatable process is implemented at the beginning of a project, rather than near the end. That way, all involved parties will be able to provide advice, guidance and review during every step of the process.

It’s important to keep in mind that privacy teams simply don’t have time to attend every meeting and discussion in which a new IT system, program or campaign is being considered. Instead, privacy officers can do their part by developing a framework that can be used by IT to incorporate privacy best practices by design and by default within their programs and systems. Also, consider using automation to allow employees to request PIAs of systems they are planning to build and deploy so the organization can provide them with reasonable estimates and timelines for their projects in advance. Early involvement will save these employees from the need to make last-minute design changes and decisions under fire.

Related Article: Privacy By Design Is About to Become Law: Is Your Organization Ready?

Demonstrate Accountability to Regulators

Finally, the GDPR requires that organizations maintain detailed documentation of their compliance efforts. To adhere to this particular guideline, companies should not only be prepared to show regulators evidence of their documented policies; they should also be able to demonstrate that those policies are being monitored and enforced regularly.

The risk management of privacy and security intersect with other data life-cycle management programs within organizations — making it difficult to track and document data for GDPR regulators. Technology can alleviate this challenge by enabling organizations to combine related data life-cycle areas to better optimize resources and manage various risks. As a result, organizations will be able to ensure that they are collecting, using, sharing, maintaining and disposing of information in responsible, ethical and lawful ways.

At the end of the day, GDPR compliance is simple: Companies must be transparent about their reasons for collecting data, and they must offer customers a true choice as to whether or not they want to give their data to companies. Then, organizations must follow through and ensure that they only use the data they collect for the purposes they initially outlined, within the boundaries of consent provided by their customers.

By taking the steps outlined above, you can show true momentum toward GDPR compliance to regulators on May 25 and beyond.