GDPR compliance – where to start

The first few steps of your EU Data Protection Regulation (GDPR) compliance project can be the most confusing. Where to start, who should be involved, and how to meet all your obligations are just a few of the questions you will undoubtedly ask, and the entire process can seem incredibly daunting.

What is the GDPR and does your organization need to comply?

The GDPR demands greater accountability and transparency from organizations in how they collect, process, and store personal information. Compliance with the GDPR will be enforced from May 25, 2018.

All EU organizations, and non-EU organizations that monitor the behavior of or offer goods and services to EU residents, must comply with the Regulation.

GDPR compliance is not a choice, nor is it just a matter of checking a few boxes

The Regulation demands that you are able to demonstrate compliance. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with transparency, accountability, and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.

Implementing an appropriate compliance framework will enable you to avoid significant fines and reputational damage, as well as show customers that you are trustworthy and responsible.

Tackle immediate priorities to prove GDPR compliance

If you are just beginning your GDPR compliance project, it is unlikely that you will be fully compliant by May 25. However, steps can be taken to prove that you are making an effort to comply.

Our recent blog, The EU GDPR will apply to US organizations too – follow our key steps to compliance, outlines the activities that you should prioritize in the next month.

Kick-start your GDPR compliance project

If you are just starting your GDPR project, we recommend that you read EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide which provides comprehensive guidance and practical advice on implementing a compliance framework.

Topics covered in this bestselling guide include:

  • The data protection officer (DPO) role, including whether you need one and what they should do
  • Risk management and data protection impact assessments (DPIAs), including how, when, and why to conduct one
  • Data subjects’ rights, including consent and the withdrawal of consent, subject access requests (SARs) and how to handle them, and data controllers and processors’ obligations
  • International data transfers to ‘third countries,’ including guidance on adequacy decisions and appropriate safeguards, the EU-US Privacy Shield, international organizations, limited transfers, and Cloud providers
  • How to adjust your data protection processes to comply with the GDPR, and the best way to demonstrate related compliance
  • A full index of the Regulation to help you find the Articles and stipulations relevant to your organization