The GDPR will be applicable on 25 May 2018, giving companies 444 more days to seize the opportunity and build a competitive advantage on the market. Most advisors and presenters are using the broader scope, higher penalties and believed tougher enforcement of the GDPR as a mean to persuade companies to buy their services. All those arguments are in a sense relevant but we believe that there is a possibility to turn compliance into a competitive advantage! Instead of focusing on “have to” and “must do” think about taking how a certain change/behaviour can improve the perception of you in the marketplace and the opportunity to take a pole position. By preparing your organisation for the GDPR and thinking privacy by design, you can build strong trust among your business partners and customers. Depending on your size, type of business and complexity in the information flows this Triple4 day may be the milestone day for you to start thinking about turning compliance into business. If it is too early then maybe Triple3 (26 June 2017) day or even Triple2 (15 October 2017) or Triple1 (3 February 2018) may be the right date for you! Whatever day you choose we have summarized the steps ahead for your company.
1. Identify the key compliance issues that your company will face under the GDPR
As a first step, you should ask how your company is using personal data. Does your business, in its everyday operation, heavily rely on information that might be linked to individuals? Does your company process personal data as its core activity? Or is the processing of personal data only secondary for your enterprise? It is important to be aware of the significance of personal data processing for your company.
Which rules of the GDPR have an impact on your organisation? The stricter consent rules and the parental consent? The direct obligations for data processors? The rules on profiling and automated decision-making? The security requirements for processing or the rules on breach notification? The GDPR makes several existing rules stricter and introduces new rules that will affect your organisation (check out our blogpost concerning the GDPR). Identify those rules that will have an impact on your business and on your organisation, and prepare for implementing the rules.
2. Plan, raise awareness and establish culture in your organisation
Once you identified the key rules of the GDPR that will have an impact on your business, it is time to plan the work that needs to be done for ensuring compliance. You should allocate resources and create budget for the privacy work. This might be challenging, but remember that the remaining 444 days give you the opportunity to obtain a competitive edge by embracing the new privacy rules. Think privacy by design!
Discuss the importance of the GDPR within the management of your company and educate those people from your staff who are involved in the work or decision-making relating to any processing of personal data. By the time every relevant person in your company knows the privacy basics, it will be less challenging to ensure compliance with the GDPR and to maintain compliance going forward and regarding future projects.
3. Carry out data mapping
The only way you can ensure compliance is that you understand the way you process personal data. The best is to start a data mapping exercise throughout your organisation as soon as possible. Consider every aspect of your business, such as HR, product development, customer relationships, advertising, as well as your company’s products and services that involve processing of personal data. Carry out the mapping on a detailed level and do not forget to map the types of personal data being processed and the categories of data subjects, the purposes of the processing, the owners of the processing within the company, the source of the data and anyone who has access to the data within or outside of your organisation including the actual location of such parties. Remember to document the data mapping, because accountability is a key factor under the GDPR.
4. Create a privacy strategy based on the data mapping
The data mapping will provide you with a clear view on your company’s processing of personal data. Based on the data mapping, you can assess the compliance of your data processing with the GDPR’s rules and such assessment allows you to identify compliance gaps. Create an action plan in which you address the compliance gaps and mitigate the risks. Do not forget about the controllers’ and processors’ organisational and accountability obligations under the GDPR.
5. Implement, review and maintain
Implement the action plan and close the gaps. Remember that maintaining compliance requires a continuous effort regarding the organisation and the processing of the data. New projects, products and services will have to be developed bearing in mind the privacy of your users, customers and partners under the GDPR. Consider the GDPR as a unique opportunity to build competitive advantage and trust!
Synch’s privacy experts are assisting companies in their preparation for the GDPR and are happy to help your company too. For example, Synch provides an online tool for assessing personal data processing and identifying compliance gaps. For further information, please contact Ida Häggström or Vencel Hodák.