With May 25th just around the corner, some companies not yet GDPR ready may be beginning to feel the pinch. But it is important to know there is nothing to fear; there is still time to get going. Just get a plan in place.
While the media has highlighted the significant financial consequences of failing to be GDPR compliant (up to €20 million or 4% of their global revenue), it is worth noting that regulators are prepared to take a wider view.
For most of Ireland and the UK (and indeed Europe), full compliance by the set date is unlikely to be achieved. One survey, published by DataIQ in early April, states that 25.4% of businesses are ‘prepared for GDPR’. Meanwhile, a report from Crowd Research Partners reveals 60% of businesses are expected to miss the GDPR compliance deadline. And of the 40% that will, just 7% are already fully compliant.
The good news is that regulators are expected to offer a ‘period of grace’ to struggling companies. In France, for example, the CNIL says it will delay taking any significant actions in the early months.
Getting GDPR Compliant: Key Questions To Ask
The steps involved in getting GDPR-compliant are detailed, but at their heart is the simple aim of protecting personal data. So even at the 11th hour, compliance is not out of reach.
Here is a checklist of questions to ask to ascertain if your organization is actually ready. For any, if the answer is ‘Yes’ then that’s one step closer to full compliance.
Have you …
Assigned Responsibility for Data Protection?
- Have you notified all departments who the selected Data Protection Officer (DPO) is?
- Have you set up the Working Group to get everything organized, up and running?
Provided Education & Training to Build Awareness?
- For both management and staff, have you developed a training programme to build awareness of the practices and responsibilities needed to maintain GDPR compliance?
- If so, are you keeping a record of attendance?
Created a Data Inventory?
- Have you clearly identified the purpose for retaining that data?
- Have you identified the legal basis for doing so?
- Does staff know the retention period for data?
- Are the necessary security controls (as set out by the GDPR) in place?
- Have you set up workshops to explain data inventory and mapping
- Have meetings being set up to cross reference and verify data?
- Is everything being keep on record?
Supported Individual’s Rights?
- Have you designed procedures to ensure individuals know their rights? Key points to include are how data is processed, how to request access, hot to have errors corrected and how to have their data deleted.
- Have you published a Privacy Statement and distributed it to everyone?
- What about online complaint and request forms?
Prepared Access Request Procedures?
- When employees request access to their data, have you got the necessary forms ready to implement that request?
- Are these documents template and ready to use?
- Does your staff understand the process?
- Are they ready for periods of high engagement?
Prepared Data Breach Response Procedures?
- In the event that there is a personal data breach, is there a detailed procedure in place that adheres to the GDPR?
- Is the necessary documentation template and ready to use, like Breach Notification?
- Is staff clear on the possible chain-reaction? Does staff know their responsibilities?
Ensured Smooth Security, Monitoring and Reporting Procedures?
- Are there procedures in place to ensure a smooth reporting of data protection updates are regular stages?
- Are all protection controls accurately and detailed documented?
- Are all security features implemented? Will these features and procedures be monitored adequately?