GDPR is not just a task for the Legal / IT department
First Step is Awareness & GDPR Education from Top to Bottom of your organization – You must build a new business process model on how to handle personal data as it has now become an accountable commodity.
GRPR is a risk mitigation project at board level.
GDPR must be structured from the board level down. It requires completely new businesses processes and ONLY when they are in place, based on risk mitigation the specifications can be sent to the IT department. The board of directors must think differently, they must clean up ALL old personal data and decide what to keep and for how long. This can’t be done by any software solution offered by any vendors or by using AI. The software will not find more than 85% of the personal data and if the new business processes are not in place the finding the data will not change anything. Data has become a commodity just like gold and oil, with GDPR you are NOW accountable for it!
Guidelines on Data Protection Impact Assessment (DPIA) to evaluate high risk personal data and how data should be collected, minimized and processed under the law. As data has become an asset in the company, besides protecting it like any other asset, the board or owners of the company must be able to ask two simple questions, How much do we have and where is it? The same questions you are constantly asking about your main assets: Stock and Cash!
Accountability and Certification.
Awareness, Awareness and Education of employees handling data is the first step! “Accountability”, “Minimization under the law” and “For How long do we need the data” is the model for the risk mitigation process which should include the a DPO and legal department to form the internal policies according to the GDPR. Doing it right from the beginning will save the company a lot of money in the future as regulations and fines will only increase over time. Protecting the data will generate much more data in order to demonstrate accountability towards the data subjects on how it was used or if deleted!
Accountability towards the data subjects is the and final goal.
Two golden rules for successfully compliance are Privacy by Design and Segregation of personal data with possible encryption with some kind of digital ledger ie Blockchain. Only that can lead to trusted Certification, which again will lead to advantages and new business opportunities as your company will be ahead of many other businesses who are misunderstanding the opportunities this new law is actually creating.
Compliance with GDPR is not negative, read here why GDPR is good for Businesses
Your company might need a DPO – Data Protection Officer.
According to the law companies with over 250 employees or companies handling large amount of data must have a Data Protection Officer by law. The DPO is an independent person within the company or organization responsible for complying with the law and informing the board and EU Data Protection Agency of any breaches. So don’t do the mistake of just passing these tasks to your IT department either as they will happily ask for a bigger budget and build you something which might not even comply and end up costing you much more than starting risk mitigation correctly from the top down. Putting the right processes in place and a response team in case of data breaches(which are almost impossible to avoid) will also give you an advantage in regards to future regulations and avoiding the high fines.
Remember its the board of directors who are fined, not the IT department!
Awareness and Education of employees handling data is the most important as most data breaches happens due to HUMAN MISTAKES, not hacking! So constant education of employees are needed!
EUROPEAN CENTER FOR GDPR CERTIFICATION can help with GDPR being implemented and Certified. They have a list of trusted companies worldwide.
You can also just email us: firstname.lastname@example.org