Prepare your organization for the new European privacy legislation with this GDPR roadmap

On May 25th, 2018, the General Data Protection Regulation (GDPR) will take effect. This new European privacy policy aims to improve personal data protection throughout the European Union. Where organizations are concerned, they will have to assess and, if necessary, tighten up in-house protection of personal data. How exactly do you do this? What steps do you take, and when do you take them? In this article, we describe the steps your organization will be required to take in order to comply with new legislation. This GDPR roadmap can be used as a guide to review and refine those business processes adopted by your organization.

Start with the GDPR roadmap today

The general steps to take to meet the GDPR are the same for all organizations that deal with EU citizen data. The GDPR roadmap is presented in the infographic below. Which additional steps you may need to take and how these steps should be taken varies from organization to organization. We will come back to this later.

GDPR roadmap

1. Prepare

The first step is knowing exactly what personal data your organization processes. Personal data is all data that describes a person or their existence – either directly or indirectly. This may include phone numbers, email addresses, customer account numbers, suppliers or business contacts. There are also ‘special categories’ of personal data, such as medical data. You should know the following about every piece of data your organization processes:

  • For what purposes do you process this data?
  • What kind of data does this include?
  • What does the processing of this data entail?
  • Where is this data stored?

This overview will help you to understand your specific data processes. Find out to which legal requirements and expectations the stakeholders need to fulfil. Once you have completed this overview of your organization’s data processing activities, you may move on to step 2 of the GDPR roadmap.

2. Execute a full risk assessment

Once you have an overview of your data processing, you should then determine what could go wrong. What can be done with these processes that endangers the privacy of those involved? For each of these (potential) threats, determine how likely it is that this situation actually occurs (probability) and how serious the consequences of this particular situation would be (impact). Based on a combination of probability and impact, you choose what risks you need to deal with and in what order. Some risks have priority, while others should be provisionally accepted. You are looking for the optimal privacy protection available, taking into account your available time, resources and knowledge.

GDPR roadmap - Assess your risks

Assess risks according to probability and impact. Our in-depth e-learning training Risk Management can help you!

Not only does a risk assessment allow you to make the right choices concerning data processing, it also makes it easier for you to report to the authorities; you will be able to show what risks your organization is facing and what steps you have taken, as well as prove that you have taken the right measures for the most important risks. This is very important to the GDPR; you must be able to demonstrate that you are ‘in control’. What measures your organization takes is based on the policy you adopt according to the risk assessment.

3. Drafting your policy

As soon as the results of the risk assessment are clear, consider drawing up new policies or tightening up the current ones. Your policies describe how your organization handles personal data and its security. The risk assessment results are your guide; you choose which measures address the main risks. These choices will be found in your policy, which will also provide guidelines for your organization’s personnel, directing them how to act to protect the privacy of data subjects so that GDPR requirements are met.

When choosing measures and formulating or tightening policies, it is important to follow GDPR guidelines. The GDPR describes, among other subjects, the obligations of the processing manager and the processor, and the rights of the parties involved. All of the guidelines your organization is required to consider must be covered by the privacy policy.

If you do not know where to start when compiling a (new) policy and guidelines, use existing frameworks, such as the ISO 27001. This standard describes what you should do in order to ensure adequate information security. This can be used as a template for your own policy. Consider what you could take over from this standard framework, and determine where you could adjust your current policy according to the ISO 27001. Depending on the type of organization and risk management experience, you might opt for an alternative framework, such as the CobIT. Use your risk assessment results to critically review these existing frameworks. This way, you will choose the right measures that best fit your organization and the personal data it processes.

4. Implement your policy

Once your organization’s privacy policy is finalized, its implementation begins. You should start by implementing the measures adopted to address the most important risks. These can be separated into legal, organizational and technical measures.

Awareness is a valuable measure within every organization. It is essential that all employees are aware of the policy and act accordingly. To achieve this, everyone must also be aware of the risks your organization faces when processing personal data. Through a security awareness campaign, employees learn how to handle data and improve their knowledge of data security, as well as learn how to communicate securely with other parties. Such a campaign ensures that your organization will continue to efficiently maintain its privacy policy guidelines in the long term.

5. Monitor and respond

You should be ready for the GDPR on May 25th, 2018, if only to avoid the fines. More important, however, is that you will be able to guarantee the privacy of your customers, suppliers, business contacts and staff at all times. In order to do this successfully, it is important that you work with up-to-date procedures and measures. These will immediately bring to light any privacy violations, and allow you to respond both quickly and effectively.

To ensure that your procedures and measures are up-to-date, it is important that you monitor your organization’s current situation. Are your chosen measures effective? Have new risks surfaced? The use of the PDCA (Plan – Do – Check – Act) cycle helps you to keep on top of continuous monitoring in a completely structured way. As you follow the steps of the PDCA cycle, you are often required to go back to previous steps in order to make corrections, additions and adjustments.

Timeline and implementation

By proceeding with the described GDPR roadmap, you can help your organization ensure permanent protection of the privacy of those involved, as well as its compliance with the GDPR. These steps are virtually the same for all organizations; however, the corresponding timeline and exact steps to be taken can vary. May 25th, 2018 might seem a long way off, but the next months will shoot by a lot faster than you might think. In order to avoid setbacks and disappointment, plan a timeline for your organization as soon as possible. How much time do you need for each step in the process? Where might you expect setbacks? Who should you involve in the process? The answers to these questions will help you to adhere to a realistic timeline.

It is also worthwhile considering whether this GDPR roadmap plan is sufficient and appropriate for your organization. You may also have to comply with external regulations, or handle excessive amounts of ‘special categories’ of personal data. This could affect the completion time for specific steps, but might also have a knock-on effect as regards the timeline. So prepare the process well, and avoid nasty, last-minute surprises – and fines.