Over the past few weeks, we’ve explored GDPR, the General Data Protection Regulation in place throughout the EU. Specifically, we looked at what GDPR is and how GDPR can impact U.S. businesses. Today, we’re going to discuss specific steps you can take to comply with GDPR.
Quick recap: GDPR won’t impact the way your business interacts with U.S.-based consumers, but it will impact you if you offer products or services to citizens of the EU. If you fail to adhere to GDPR, you will be fined up to 4% of your annual global revenue or 20 million Euros.
Avoiding this serious penalty is easy… all you have to do is comply with GDPR. Here are five simple steps to do just that:
The best place to begin is with a thorough audit of your existing data and your existing security system. An audit of this kind is also known as a Data Protection Impact Assessment or DPIA. You cannot work towards compliance until you have a comprehensive understanding of both the types of data you currently have the process by which you collect it. The purpose of the audit is not only to take stock of what’s there but to help you assign priorities and identify high-risk issues. All of this information will empower you to comply with GDPR.
To efficiently conduct your audit, consider leveraging a data protection software. Avexta’s DataSense automates data discovery for GDPR data inventory, then maps and organizes your data according to your environment. DataSense allows for remediation actions to mitigate DSAR (Data Subject Access Rights) requests and adheres with GDPR’s Article 17, the right of erasure (“right to be forgotten”) – both essential components to GDPR compliance.
Break down the silos between your marketing and IT departments. GDPR is an issue that will affect both of these departments equally, and they need to be on the same page if you hope to comply with GDPR. Marketing needs to understand the technology IT will put in place to safeguard consumer data, and IT needs to understand the nuances of marketing’s expectations of consumer trust.
Once you unify your teams, educate your staff – specifically anyone who works with personal information – about GDPR. That means anyone who has anything to do with security, customer resource management, data entry, sales, and so on. Everyone needs to have the same level of understanding when it comes to regulations and potential penalties for lack of compliance.
The teams are united and educated; now, it’s time to put someone in charge. Assigning a Data Protection Officer (DPO) is essential if you want to comply with GDPR. Your DPO will be in charge of overseeing all GDPR efforts within your company. It’s harder for things to fall through the cracks when you clearly establish responsibility and expectations. Having an in-house DPO isn’t a requisite of GDPR, but it’s worth it to avoid significant fines.
Now that you know how to comply with GDPR, go forth and begin!