Six steps towards GDPR compliance

Setting up a privacy program from scratch, whether it’s GDPR or CCPA, or both (!) can feel a little overwhelming.Where to start? Which are my biggest risks? How will this impact my business? And when are we compliant enough?

Some of the things we have learned from helping dozens of organizations with their privacy compliance is that you cannot go from 0 to 100% compliance in one go and that compliance is a continuous process anyway. The GDPR specifically has many requirements, principles and conditions, which we have tried to break down in six bite-sized pieces. If you want to make a steady improvement in privacy protection, or GDPR compliance, these are the trends you want to look out for in your organisation.

1. The first step concerns personal data collection. The GDPR wants you to collect as little personal data as possible, we call this data minimization. Take measures such as only collecting the data you need for your (clearly defined) purposes and storing data no longer than neccesary.
2. The next step is increasing your security. The GDPR requires adequate security for protection personal data. Now you might feel your security is plenty adequate, but have you considered both technical and organisation security measures? And are you keeping up with developments in cyber crime? It is rare to find an organization that cannot benefit from an increase in security or an update of employee awareness of this topic.
3. Hopefully more security will lead to fewer data breaches. But do your co-workers know how to detect, report and prevent accidental data breaches?
4. The burden of proof for GDPR compliance lies with the organization that is the data controller. Each organization has to be accountable for how they handle personal data and needs to be able to prove they have the right legal grounds for using the data.
5. Not all data stays within your organization. Are you aware who your processors are and how they handle data on your behalf? Or maybe selling or sharing data is part of your business. In this case you need to make sure you meet the strict requirements of the GDPR and CCPA.
6. Transparency is key in assuring data subjects can enact their privacy rights. Transparency has both an active and a passive component. You need to let people know how you handle their data in a privacy statement and upon request, you need to give a person insight into their own personal data.