Actions to Take
The approach of individual companies to GDPR readiness is varied – this will depend on the nature and extent of any existing data protection compliance programme, and on the specific provisions in the GDPR which are likely to impact the business’ core data processing activities and broader business model. Businesses that have a sensible data protection compliance framework in place already should be able to build upon that as a foundation for GDPR compliance.
The following suggestions as to the steps that can be taken now, will help companies to make the best use of the time remaining:
- Secure buy-in at senior level – meaningful engagement and accountability will be critical to introducing the changes that will be required to ensure compliance with the GDPR.
- Get organised – establishing a working group early on from across the business who operate at a sufficiently senior level to introduce change within their respective departments will help to keep the change programme on schedule.
- Audit – verify existing personal data assets, how they are used within the business, for what purpose, with whom they are shared, and what the current data protection programme consists of (if any).
- Assess GDPR impact – identify which of the changes in the GDPR will impact the business, and what changes will need to be made to the business’ existing data protection compliance programme.
- Engage and action – once the remedial activities have been identified, the business will need to engage the support of others internally to implement the necessary changes.
- Continued education – for data protection to penetrate corporate thinking, every member of staff must have an awareness of it. Colleagues must have an understanding of what personal data is, what those obligations are and how to report any issues.