For companies that continue to experience frustration and difficulties in finding out where to start to get around the process the following are six simple steps organisations can follow to make it more tangible and more transparent for a GDPR action plan.
To gain an in-depth insight into all the data across the organisation, you need to gather a team of process experts to handle the mapping process. Because, unless the organisation is tiny, it is unthinkable that one person has enough knowledge of all the methods to ensure 100% compliance. Therefore, the size of this team is governed by the size of the organisation. In addition to the mapping and identification of gaps, the team will also assist with the implementation and ensure that all changes are in line with GDPR – which means that everything must be documented and written down.
First, it is crucial to identify and evaluate all data that exists within an organisation. By doing this, you will create an overview of the personal data and the processes an organisation uses in data management. This makes it easier to compare the existing data protection conditions with the General Personal Data Regulation and identify any gaps in the GDPR efforts.
In addition to assembling a team, it is also crucial for the organisation to appoint a specific person – aka. A Data Protection Officer (DPO) – whose main task is to advise, guide and monitor that the organisation comply with the General Data Protection Regulation in every aspect. The DPO will not only be the link to the senior management, but also the Danish Data Protection Agency and will be responsible for the handling and development of the organisation’s data position.
Another critical factor in GDPR compliance is an investment in software and external expertise. E.g., there are requirements for how an organisation must encrypt and anonymise personal data. Also, one must consider whether the method used to document one’s effort is good enough. For instance, spreadsheets may have some shortcomings about the documentation requirements set by the GDPR.
To ensure that the compliance not only works in theory but also in practice, all employees must be informed and aware of their responsibilities when it comes to data protection. An organisation must provide excellent communication and training to create a good compliance culture where the focus is consistent across the organisation. If every employee is not involved, it can be difficult for an organisation to meet all the legal requirements.
GDPR is not a stagnant process but a dynamic approach to personal data protection. It is a never-ending story which an organisation must continuously work on. In the future, there can occur changes to the legislation. It is essential to be at the forefront of these by planning regular updates of policies and processes. Therefore, an organisation must consider how best to handle changes like these, and how the management wants to inform the right people when an update must take place.
The above approach is recommended by the GRC software company, RISMA Systems a Danish software company that provides IT tools for managing, documenting GRC initiatives