Here's an important question to ask yourself... is your organization dealing with information that belongs to EU residents?
If the answer is ‘yes’, then new General Data Protection Regulation (GDPR) will apply to you. It's important that you act now, if you haven't already.
On 25 May 2018 the General Data Protection Regulation (GDPR) will become enforceable.
This will affect every organization that processes the personal data of European Union residents, including:
Every employer in the European Union
All organizations that offer goods or services to individuals in the European Union or that monitor the behavior of individuals - this includes organizations with no presence in the European Union
All data processors that process the personal data of European Union individuals
If your organization is in breach of the Regulation, you can expect administrative fines of up to 4% of annual global turnover or €20 million - whichever is greater.
The steps that you need to take to ensure compliance will be specific to your organization, however you should start by following these 6 steps to prepare for the implementation of the GDPR*:
1. Appoint a Data Protection Officer (DPO)
Some organizations will have to appoint Data Protection Officers (DPO).
Even if you are not required to appoint a DPO, you may still need to bring someone on board to manage GDPR compliance.
2. Carry out data mapping
Data mapping involves mapping out all the organizations' data processing activities, to get a full understanding of where the data flows.
This will allow you to come up with the most effective way to protect the information and reduce privacy-related risks.
3. Prioritize compliance actions
Determine the actions that will need to be implemented for each of your organizations’ data processing activities. Make sure that only strictly necessary personal data is collected and processed and that the legal basis for the data processing is determined.
To handle data subjects’ requests, your organization will need to have a process in place. Under the GDPR, it is the organization and not the consumer that must prove that they have a legal basis for retaining control of or access to the 'data subjects' data. If you refuse to relinquish data subjects’ data, then you are obliged to communicate why.
Ensure that privacy clauses are added to service agreements that you have with vendors/data processors, so that they are aware of the new obligations and responsibilities under the GDPR.
4. Manage the risks by conducting impact assessments
You will need to carry out a Privacy Impact Assessment (“PIA”) for each data processing activity that may pose high risks to the rights and freedoms of data subjects.
A PIA is an evaluation of the proposed processing of personal data. If your organization is processing personal data that is likely to result in a high risk to the data subject’s rights, a PIA must be carried out prior to commencing that processing. For a number of organizations, a PIA will be compulsory.
It is important to put in place measures to quickly respond to the main risks and threats to data subjects’ privacy.
5. Organize internal processes to ensure data protection at any time
Your organization needs to anticipate data breaches and how to respond to incidents.
Procedures must be implemented internally, to guarantee data protection at all times, while taking into consideration all events that may occur during the lifetime of a data processing activity.
6. Document all compliance measures to prove organization’s compliance at any time
Finally, you must collate all necessary documentation together. The actions and documents produced at each step must be regularly reviewed and updated to ensure data protection continues to be maintained.
FlowForma is revolutionizing the traditional BPM space with an innovative approach to developing BPM products that empower users to create and streamline processes, utilizing the SharePoint platform, without any coding.
Some of the processes that you can build using FlowForma BPM, to help facilitate GDPR compliance include:
Privacy Impact Assessment process
Personal data request process
Personal data security breach process
To find out how you can empower your users to meet your GDPR requirements and create GDPR-compliant processes using FlowForma BPM, please contact us for a demo.
*This 6 step guide is based on the French data protection authority (CNIL) a six-step guide and tools to help organizations prepare for the General Data Protection Regulation (GDPR).