Start with the GDPR roadmap today
The general steps to take to meet the GDPR are the same for all organizations that deal with EU citizen data. The GDPR roadmap is presented in the infographic below. Which additional steps you may need to take and how these steps should be taken varies from organization to organization. We will come back to this later.
The first step is knowing exactly what personal data your organization processes. Personal data is all data that describes a person or their existence – either directly or indirectly. This may include phone numbers, email addresses, customer account numbers, suppliers or business contacts. There are also ‘special categories’ of personal data, such as medical data. You should know the following about every piece of data your organization processes:
- For what purposes do you process this data?
- What kind of data does this include?
- What does the processing of this data entail?
- Where is this data stored?
This overview will help you to understand your specific data processes. Find out to which legal requirements and expectations the stakeholders need to fulfil. Once you have completed this overview of your organization’s data processing activities, you may move on to step 2 of the GDPR roadmap.
2. Execute a full risk assessment
Once you have an overview of your data processing, you should then determine what could go wrong. What can be done with these processes that endangers the privacy of those involved? For each of these (potential) threats, determine how likely it is that this situation actually occurs (probability) and how serious the consequences of this particular situation would be (impact). Based on a combination of probability and impact, you choose what risks you need to deal with and in what order. Some risks have priority, while others should be provisionally accepted. You are looking for the optimal privacy protection available, taking into account your available time, resources and knowledge.
Not only does a risk assessment allow you to make the right choices concerning data processing, it also makes it easier for you to report to the authorities; you will be able to show what risks your organization is facing and what steps you have taken, as well as prove that you have taken the right measures for the most important risks. This is very important to the GDPR; you must be able to demonstrate that you are ‘in control’. What measures your organization takes is based on the policy you adopt according to the risk assessment.
3. Drafting your policy
As soon as the results of the risk assessment are clear, consider drawing up new policies or tightening up the current ones. Your policies describe how your organization handles personal data and its security. The risk assessment results are your guide; you choose which measures address the main risks. These choices will be found in your policy, which will also provide guidelines for your organization’s personnel, directing them how to act to protect the privacy of data subjects so that GDPR requirements are met.
If you do not know where to start when compiling a (new) policy and guidelines, use existing frameworks, such as the ISO 27001. This standard describes what you should do in order to ensure adequate information security. This can be used as a template for your own policy. Consider what you could take over from this standard framework, and determine where you could adjust your current policy according to the ISO 27001. Depending on the type of organization and risk management experience, you might opt for an alternative framework, such as the CobIT. Use your risk assessment results to critically review these existing frameworks. This way, you will choose the right measures that best fit your organization and the personal data it processes.
4. Implement your policy
5. Monitor and respond
You should be ready for the GDPR on May 25th, 2018, if only to avoid the fines. More important, however, is that you will be able to guarantee the privacy of your customers, suppliers, business contacts and staff at all times. In order to do this successfully, it is important that you work with up-to-date procedures and measures. These will immediately bring to light any privacy violations, and allow you to respond both quickly and effectively.
To ensure that your procedures and measures are up-to-date, it is important that you monitor your organization’s current situation. Are your chosen measures effective? Have new risks surfaced? The use of the PDCA (Plan – Do – Check – Act) cycle helps you to keep on top of continuous monitoring in a completely structured way. As you follow the steps of the PDCA cycle, you are often required to go back to previous steps in order to make corrections, additions and adjustments.
Timeline and implementation
By proceeding with the described GDPR roadmap, you can help your organization ensure permanent protection of the privacy of those involved, as well as its compliance with the GDPR. These steps are virtually the same for all organizations; however, the corresponding timeline and exact steps to be taken can vary. May 25th, 2018 might seem a long way off, but the next months will shoot by a lot faster than you might think. In order to avoid setbacks and disappointment, plan a timeline for your organization as soon as possible. How much time do you need for each step in the process? Where might you expect setbacks? Who should you involve in the process? The answers to these questions will help you to adhere to a realistic timeline.
It is also worthwhile considering whether this GDPR roadmap plan is sufficient and appropriate for your organization. You may also have to comply with external regulations, or handle excessive amounts of ‘special categories’ of personal data. This could affect the completion time for specific steps, but might also have a knock-on effect as regards the timeline. So prepare the process well, and avoid nasty, last-minute surprises – and fines.