GDPR is the General Data Protection Regulation introduced by the EU. The regulation requires that private and public organizations of all sizes are expected to improve their privacy policies and data protection systems. Failure to protect data and privacy attracts large fines and by making a sensible plan an organization can not only comply with the GDPR but ensure that no penalty is imposed on them.
Team
The first step in the process of complying with GDPR is to form a team. The focus of the team is to build an end to end data protection system and privacy policy. All personnel and the legal counsel of the organization should be educated about the steps taken by the company or organization to comply with GDPR.
Identification
The team needs to find the types of data captured by their systems. The team has to find out how captured data is processed, who is given the responsibility of processing data and why the different types of data are captured. Once they have a clear picture of how data is captured making a plan is easy.
Flow of Information
To effectively enforce end to end data protection in a GDPR action plan, the team has to find all places where data can be copied or shared. While companies usually focus on their IT department to protect data, it is important to check each department and plug any possibility of leaking data. For instance, the sales department and customer services department will store and share customer data.
Update
The team should update all privacy policies and data collection practice rules. The company should explain clearly how employees should use the data of other employees or customers. They should make sure that the HR department collects relevant data about employees and customers. They should also have a system where data can be deleted in place.
Data Request Policy
The team should formulate a plan for the HR department to manage data portability and data erasure requests. The circumstances under which data can be shared or deleted should form part of the plan. The terms under which employees can consent to or remove consent when their data is being processed should also form part of the plan.
Breach Response
The GDPR requires that data security breaches should be reported within three days to the Data Protection Authority. The company or organization should have an officer in charge of data breach who should be responsible to investigate, control and report the breach. The data breach may be data of customers or employees.
Training
All employees should be trained to protect data by the company. They should be up to date about the data protection policies and should identify a breach and report the breach to the data protection officer. The company should have annual refresher sessions to train employees about any new updated policies.
With a sensible plan in place, GDPR compliance for companies and businesses of all sizes will be a secure and efficient process.