Annika Anikari // May 19 2017
Creating GDPR compliance requires systematic approach
European Union’s General Data Protection Regulation (GDPR) strengthens the rights of individuals in controlling how their personal data is handled and used. The new regulation is applied to all organizations targeting their services to EEA area latest in May 2018. You might think that “This is for sure something that relates only to IT systems and is taken into account by someone else than me?” No. Anyone working with any kind of personal data collected from the EU and the EEA citizens needs to know what GDPR stands for and how it is going to affect us.
Even though you might have heard the saying “people sleeping late are smarter” it might not be wise in this case, the early birds have already been in action for a long time. According to our expertise many companies are struggling with the fact that they should do something, but they don’t know from where to start, from which budget the actions should be paid or from where to find time for a project to build the compliance. Quite usual is that they are not aware of their current state, which makes it more difficult…and the project planning is postponed again with one or two weeks.
I tend to think about the possible ways for checking the preparedness as a board game. A good entering point to the game is to analyze the systems containing personal data. Then take the needed steps and continue to the next bigger circle on the board, analyzing “What is the personal data content collected to this system and for what purposes is it needed?” Continue further and take the steps to the circle of defining the ownership for this data, and then check from the owner for how long the data is needed. None of this data should be stored if it is not needed any more, which means you have to have the retention and removal practices in place. When you have checked those, continue your systematic approach and go through all the systems in scope.
On the other hand, if you are able to choose the entering point for your token yourself, another good place to start your journey covering the game board could be the processes related to the rights of individuals. If the data subject for example wants to use his right to access the data, to object personal data processing or to have some data rectified, do you have the processes and the data processing practices in place? In the processes based scenario, you choose to get closer to the data storages and the data itself from another angle. Despite of your entering point, in the end the analysis and the improvements have covered them all: processes, technical solutions, guidelines and policies, agreements with subcontractors and customers as well as the documentation that needs to be in place.
Sometimes you might at the same time have so many games and players in place that it is difficult even to choose the color for your token. The amount of tracks where you are needed at the same time is huge, and the amount of information available of GDPR is overwhelming. Don’t worry, our consultants can support you both in reviewing the current state and creating the compliance. Do you want to join those companies who are on their way to be on top of this issue? Please contact us and let’s figure it out together!