In order to start with the process of being GDPR compliant, there must be a sense of urgency which comes down from the top management. In order to prioritize any kind of cyber preparedness, there must be the involvement of an executive leadership. Being compliant with the global hygiene standards in relation to data can be considered as a part of that preparedness.

There should be involvement of all stakeholders as IT by itself isn’t well prepared to meet the requirements set by GDPR. A task force needs to be started which would include departments like sales, marketing, operations, finance – that is, any group with the organization that deals with data collection, analysis or otherwise makes use of the data personal to the customers. Having a task force would help in better sharing of information that would be fruitful to those who implement technical as well as procedural changes that are needed, so that they would be better prepared in having to deal with their teams if any impact arises.

A risk assessment should be conducted. An organization needs to know what all data it stores as well as processes for the citizens of EU while also understanding the risks that surround it. It should be also kept in mind that risk assessment should outline all sorts of measures to be taken so as to mitigate that particular risk. One very key aspect of this assessment conducted would be to uncover all kinds of shadow IT which might be involved in the collection and storage of PII. This shadow IT along with all smaller point solutions point out to a much more greater risk in relation to non-compliance which must not by any means ignored.

A DPO needs to be either hired or appointed. GDPR doesn’t say anything about a DPO being a discrete position. So, an organization might for all reasons name anyone who has a kind of similar role as the position, take on the role of a DPO but making sure that the person under consideration would by all means protect PII without any conflicting interest. Or else, an organization would need to hire a DPO. Based on the organization, the DPO under consideration may not be needed to work full time even. In such cases, having a virtual DPO would be an option. The rules under GDPR allows a DPO to be able to work in multiple organizations, so having a virtual DPO would be like a role of a consultant who work as per need basis.

A data protection plan needs to be created. There are many companies who have already got a plan in place, but they would have to review as well as update it so as to make sure that it is in alignment with the requirements set by GDPR

Mobile should also be taken into consideration. As per a survey, it was found out that about 64% employees get access to employee, partner and customer PII with the use of mobile devices. This creates another unique set of risks in relation to GDPR non-compliance. As an example, it is found in the survey that about 81% respondents confirmed of having said that many of the employees have been given approval as to install personal apps on devices that they use for work, even though it’s their own device. So, if any of the apps either access and/or store any kind of PII then they should do so in manner which is GDPR compliant. This is quite difficult to control, when you start considering all sorts of unauthorized apps which the employees use.

A plan needs to be created so as to report an organization’s compliance progress. With clock ticking away, the organizations must keep in mind as to demonstrate that they are in fact making some or the other progress in completing “Record of Processing Activities (RoPA)” which is article 30 of GDPR that is focused on taking the inventory of applications which are risky so as to prevent themselves from being an easy target for the regulators. RoPA’s establishment is regarded as an important area to focus at this point of time and stage as it would help enable organizations in identifying where exactly is personal data processed, the one processing it and the way (that is, how) it is processed.

Now, the measures have to be implemented so as to mitigate any kind of risks. When an organization gets idea about the risks and the ways to mitigate them, it should put the measures in place. For most of the companies, it means having to revise the existing risk mitigation measures.

If any organization is seemingly small, it can ask for any help if needed. The smaller organizations would be affected by GDPR, some much more significantly than the others. They might not for some reason have the necessary resources needed so as to meet the requirements. There are resources present outside in order to provide those organizations advice as well as technical experts who would help them throughout the whole process while minimizing any sort of internal disruption.

The incident response plans need to be tested. GDPR mandates the organizations as to report about any breaches within a period of 72 hours. How well enough the response teams help minimize the damage would directly have an effect on the organization’s risk of fines for that particular breach. It should be made sure that an organization reports as well as responds within that specified time period.

A process needs to be set up for any kind of ongoing assessment. An organization needs to make sure that it remains in compliance which would require constant monitoring as well as continuous improvement. There are some companies who are thinking about implementing incentives and penalties to make sure that the employees get to follow the new mandated policies. According to a survey, 47% of the respondents would most likely add mandatory GDPR policy observances in to the contracts with employees. 25% may withhold any kind of benefits or any bonuses if it is found that a violation of GDPR occurs while 34% agree that they would provide rewards to employees who comply with GDPR.

All of these should be done as a means to improve an organization’s business. As per a survey, 74% of the respondents tend to believe that on complying with GDPR requirements would provide them with a competitive advantage. Being compliant would be a boost in relation to consumer confidence. More important thing is that all technical as well as process enhancements that are necessary in order to meet the requirements of GDPR must enable the efficiencies in how the organizations manage as well as secure the data.





Related links

This indicates that being a company (or organization), one must make sure that they are well aware of all the changes coming up and what do the changes mean to you.

Read More


Praesent nec nisl a purus blandit viverra. Praesent ac massa at ligula laoreet iaculis. Nulla neque dolor, sagittis eget, iaculis quis, molestie non, velit. Mauris turpis nunc, blandit et, volutpat molestie, porta ut, ligula.