blog
How to Achieve GDPR Compliance: Documenting Our Experience
Introduction
The GDPR is a new regulation for the processing of personal data of data subjects residing in the European Union (EU). Essentially it is meant to protect the rights of those in the EU countries in regards to the fair and lawful processing of their personal information. It will take effect on May 25th of 2018. Some of the key elements addressed in the regulation include basis of data processing, compliance obligations, purpose limitations, breach notifications, new enforcement ramifications, and individual rights. Each member state of the EU has its own governing body, but the GDPR can be applied to anyone who has a hand in the processing of personal data for those residing in the EU.
Like thousands of other businesses, the new regulation impacts us directly, and so we thought this would be a good opportunity to share with our readers and others what we are doing to prepare for the GDPR.
Research
To begin, you’ll want to do as much research on the GDPR as possible.
We began with taking note of the key dates and principles of the GDPR. This way we could start with a high-level understanding of the regulation and slowly work our way into the specific details as our GDPR compliance team builds up.
Third parties and partners can be a plentiful resource for information on GDPR compliance, things like your CRM and larger partner accounts may already have done some of the legwork on GDPR research, so do use their publishings to help with this initial research phase.
There is a plethora of blogs, webinars, and compliance guides out there, so take advantage. Keep an eye out for resources that feature legal authorities, as they can provide great insight into the concept of GDPR and how it can affect your organization.
We attended some webinars featuring legal professionals which provided an interesting and credible foundation for our GDPR research journey.
Oh, and don’t forget about the regulation itself: it can be found at eugdpr.org, though (as for most legal writings) most won’t have the fortitude to read it in its entirety, but there are some great article summaries on the website.
See a list of resources at the bottom of this blog.
Organizing a Team
After preliminary research it was time to think about how we organize ourselves. Being a startup and comparatively small in size we wanted to make sure all our bases were covered.
First we Identified our Data Protection Officers (DPOs). For us it was natural to select the people whose job functions were seemingly most affected by the regulation. That said, the honor of the data protection officers fell on our VP of Marketing (Jean-Jerome) and Marketing Operations Manager (Josh, that’s me). It also helps to have a passion for data protection and privacy, as your DPO(s) will be the drivers of your GDPR compliance plan.
Next, you’ll want to appoint the larger GDPR team.
We were sure to include a representative from every department in our company and extended the invitation to colleagues with interest in data protection. Once you have your team it’s time to introduce them to GDPR with a preliminary meeting and establish your meeting frequency. We presented our initial GDPR findings to our members and decided to meet every other week on the topic in order to regularly track progress and make sure we’re as ready as can be come May 2018.
Planning and Execution
Naturally, the next step for us was to determine our first action items on the path to GDPR compliance. We used some third party resources and began building an action plan based on a combination of their findings and our own. It helped to compile all of our resources into one working document so we could refer to them as needed. Our action items looked something like this in the beginning:
Action Items
- Assign designated Data Protection Officers
- Identify core compliance team
- Identify appropriate EU Supervisory authority and contact
- Identify internal legal agreements (for employees & contractors)
- Hold initial GDPR Introductory meeting
- Perform and document an existing privacy and security analysis
- Assemble a Data Storage Inventory
- Carry out data protection impact assessment for high risk activities
- Create operational & technical roadmap
- Internal compliance documentation Inventory, assessment, and revisions
- Identify certifications and compliance recognition
One of the first things to do, after getting the team together and identifying action items for GDPR compliance, was to begin a data inventory.
Your data inventory is a full list of all systems and datastores where you collect, store, or process data. Your data inventory is needed to perform a security analysis and to carry out a data protection impact assessment for high-risk activities. We began with identifying the “what, where, how, and why” for all of our data processing activities and began to generate a comprehensive data inventory list along with third parties and partners who might act as either a data controller or data processor on our behalf. We were careful to be overinclusive at this stage to avoid letting anything slip through the cracks.
GDPR Definitions
Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor – the entity that processes data on behalf of the Data Controller
Obstacles
At this point it became clear that we will be facing some obstacles and challenges on our GDPR compliance journey. For one, even though we’re a small enough team, we work with thousands of people and companies across many countries and regions, some within the EU and some outside of it. So, naturally the question arose, “How should we organize the prospect and client data which we collect to run the day-to-day operations of our business?” Do we apply GDPR standards to all or take a more localized approach? For our own purposes, and seeing how the GDPR is pretty stringent and covers a lot of ground, we’re going to take the approach to apply the GDPR principles to all of our data handling. This with the thought that if we’re GDPR compliant, we’re likely to be compliant for most other regional regulations as well.
This is it for this initial report on our journey to GDPR compliance. In our next write-up we’ll cover our proceedings with high risk assessments, agreements that we’ll need to sign and get others to sign, and more.
In the meantime, here are some useful resources we’ve come across for now, which we hope can help you as well.