We’re more than two years removed from the introduction of the General Data Protection Regulation (GDPR) into EU law. And despite the deadline having come and gone, many businesses are still lagging behind. If GDPR compliance remains a challenge for your organization, here’s what you need to know.
5 GDPR Compliance Tips
Any company that collects data on citizens of the European Union (EU) must comply with strict new rules that protect customer data and set standards for how their information may be collected, stored, and used, according to the GDPR regulation that was enacted just a couple of years ago.
The European Parliament adopted the GDPR in 2016, but it wasn’t until May 2018 that it became enforceable. It carries strict provisions that require businesses to protect data and take proper steps when exporting any personal data outside the EU. As industry insider Michael Nadeau explains, “The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.”
The problem is that many businesses are still lagging behind in the compliance department. In fact, a Forrester study conducted in 2019 found that more than half of businesses surveyed had not taken the necessary steps to achieve GDPR compliance. (And in case you’re wondering, GDPR violations are being taken seriously. Dozens of companies have already been fined, including massive €50 million and £99 million fines against Google and Marriott International, respectively.
While you might think your business is too small to be fined, think again. Large companies are being used as examples, but small businesses can and will be penalized. Here are a few ways you can become and/or remain compliant:
1. Review and Update Your Privacy Policy
When someone checks your GDPR compliance, they’re going to begin with your privacy policy. If you haven’t already updated your policy, start here.
A GDPR-compliant privacy policy must communicate to website visitors and users your legal basis for processing data, how long you retain that data, and the rights customers have to complain or question the way their data is used. The information must be conveyed in a brief statement that’s easy to understand.
2. Conduct Regular Audits and Risk Assessments
According to GDPR stipulations, organizations are required to conduct semi-regular audits of their data processing activities. To do so, you’ll need to answer questions like these:
- How is data being collected?
- How is data being processed?
- Where is data being stored?
- How long is data being retained?
- Is the data needed?
- Which individuals have access to the data?
The more frequently you conduct these audits and assessments, the less time-consuming they become. It’s all about staying on top of things so that GDPR compliance is manageable.
3. Hire GDPR Consultants
Many businesses lack the time or expertise to ensure they’re remaining compliant. If you feel like there’s a gap between where you are and where you need to be, consider hiring a GDPR consultant.
When searching for GDPR consultants, do your due diligence. There are a lot of “wannabes” on the market – so it’s important that you find someone who is qualified, knowledgeable, and who has your best interests in mind.
4. Conduct Proper Training
It’s not enough for a couple of people at the top of the organizational hierarchy to understand GDPR compliance. Your staff – the people working on the ground levels – need to understand the importance of compliance and the various company policies and regulations for staying in the clear. You can do this by providing regular staff awareness training.
5. Create (and Practice) an Incident Response Plan
Issues will occur. Even the most airtight GDP compliance strategy will have its momentary lapses. In these instances, it’s helpful to already have an incident response plan in place. This allows you to respond quickly and effectively.
Get a Grip on GDPR Compliance
GDPR compliance isn’t a fun or exhilarating topic, but it’s one that needs to be discussed and accounted for. Use the information contained within this article to provide some direction and clarity. It’ll take an investment of time and money, but your compliance will ultimately reward you with something entirely invaluable: peace of mind and increased customer trust.
Editor’s note: Those seeking to become CDPSE-certified can now register for a new beta exam. To register for the CDPSE beta exam in January, visit https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer. For more information on CDPSE early adoption, visit https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer.