By: Will Xiang, CAMS, CITP, CPA, CA
With GDPR around the corner, building a compliance regime and shifting operational priorities has become a focus for companies holding, or potentially holding, Personally Identifiable Information from EU citizens. Of course the goal to comply with GDPR is top of mind, however, the question becomes how to execute on this goal effectively without adversely impacting operations.
IAAP has recently published a summary of 10 operational impacts of GDPR which provides guidance on the impending change.
Organizations will need to build pragmatic frameworks to apply GDPR in a customized, risk based, and common-sense manner. The ultimate solution will depend on the organization's maturity.
The initial questions should include:
- Internal: How is data used in the organization? Where do we keep personal data? Why do we have data? When do we collect data?
- External: Which third parties have access to the data?
- Data Subjects: How do we interact with data subjects (i.e. people who provide us with data)?
- Processes: What are our current internal processes around information security, breach notification, and codes of conduct?
These answers should be inventoried in a way which can be visualized and easily accessible. Organizations should engage with key knowledge-holders to ensure the information reflect current operations. Identifying these knowledge-holders will be a priority.
With a clear understanding of current maturity, we should then plan for future implementation and spend time in areas of need. Our initial data gathering efforts will also enable the future Data Protection Officer to perform his/her role effectively and make decisions from data.
Look for Part II - Building Execution...
Register for our publications