by Jim Ashton | Oct 8, 2018
What is the impact of the GDPR data protection regulation on your organisation?
A friend and professional colleague of mine, Bruce Robertson, summed it up in one brief sentence.
"The impact is from post-room to board-room."
All of your business and support areas should be assessed to determine if the GDPR needs to be applied.
If you aren't sure whether you need to implement the GDPR, take our test. If it tells you that you do, come back to this article and read the rest of it.
GDPR impact scope highlights
All the personal data you receive, store, process and disclose to external entities must be governed by the GDPR.
Personal data entering and leaving your organisation on a regular and scheduled basis must be done under a GDPR compliant written agreement.
Personal data entering and leaving your organisation on an ad hoc basis must be recorded and actioned under separate GDPR requirements.
Personal data that is disclosed to any external entity outside the European Economic Area (EEA) can only be done if specific conditions are met.
- dealing with individuals' (data subjects) rights,
- maintaining records of processing activities,
- establishing GDPR roles, responsibilities, accountability and liability in agreements that involve the interchange of personal data between your organisation and external entities,
- keeping all agreements that involve the interchange of personal data GDPR compliant,
- auditing any companies you outsource to that process personal data you give them,
- ensuring that you respect the GDPR requirements if your organisation acts in the role of data processor,
- ensuring that all projects include data protection impact assessments (DPIAs) to make sure that they meet GDPR requirements,
- making sure that you respect the GDPR's transparency requirements when dealing with individuals,
- ensuring that you only collect the personal data you need and that you only keep it for as long as is necessary,
- fortifying both digital and physical security in line with risk,
- ensuring that all channels meet GDPR transparency requirements,
- analysing and reporting any suspected or real personal data breaches,
- establishing a data protection best practice,
- ensuring that all HR policies and contracts are GDPR compliant,
- preparing training material,
- training your staff on an ongoing basis and logging attendance and results,
- responding to requests from Supervisory Authorities,
- ensuring all parts of your organisation are properly registered with local data protection authorities,
- setting a risk appetite,
- risk recording,
- monitoring and reporting risk,
- building a GDPR audit and review capability,
- building a compliance review process to regularly check that everything is performing and if changes need to be made,
- creating GDPR framework governance and controls to embed all of the above in your organisation.
Whether you do these things yourself or get help is your choice but make no mistake, to provide the GDPR framework your organisations needs to protect everything from post-room to board-room is challenging and demanding.
GDPR SMEs has driven GDPR framework projects from the top down for small, medium and large organisations including multi-nationals. If you'd like to know more, give us a call!
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?