GDPR starts to apply less than a year from now – which seems like a reason enough to panic for many data-driven organisations who have so far not addressed the transition to GDPR. But instead of panicking, it may be better to have a look at our autumn GDPR to do list.
1. Map your personal data
Personal data mapping may sound like a basic thing for any data protection compliance exercise but the truth is it gets way more serious with GDPR. The requirements such as privacy by default and by design, stricter consent rules, enhanced data security obligations, or data protection impact assessment all require a very clear overview of personal information under the company’s control. Whereas assistance of a privacy professional may be required for a full mapping exercise, a basic overview could easily be made in-house by involving all the relevant departments such as marketing, sales, HR, legal, and IT.
2. Identify any key risks
In many cases, you do not need to be a trained privacy professional to spot a major data privacy-related risk. For example, a system whereby any employee can access personal data and where no measures such as pseudonymisation or encryption are used is unlikely to comply with the GDPR. Other risks may be more subtle and would be best identified and assessed by a privacy professional. For example, using IoT devices might reveal aspects of individuals’ lives not foreseen by the solution provider. Why not start with a homemade list to get an initial idea and then consult a professional?
3. Plan your GDPR compliance journey
Will you simply require one-off assistance or are you in the category of organisations that are required under the GDPR to appoint a Data Protection Officer? With regard to both, you may have to decide whether you plan to tackle data protection issues in-house or seek external expert assistance.