6 steps to achieving compliance with the GDPR
After 25th May, the GDPR affects practically every company that pursues marketing or business activity in the territory of Europe. Check this overview of the six basic steps required to achieve compliance with this regulation.
Step 1 – Understanding the legislative base of the GDPR
The first step to GDPR compliance is to understand its legislative basis and its elementary principle. You can find the complete Slovak version of the GDPR on the website Office for Personal Data Protection of the Slovak Republic.
If you are included in the range of entities that are obliged to appoint a personal data protection officer, do this in the initial phase of the process.
Step 2 – Establishing a Data Registry – inventory
Step two in achieving GDPR compliance is to identify what data the company will archive and for what purposes, and where exactly they are located. By completing this part, you create a Data Registry/inventory, which is essential to carry out further steps.
The company exe, a.s. uses the partner organisation Bureau Veritas for the analytical part of the process of achieving GDPR compliance.
Step 3 – Data classification
In step three, it is necessary to understand which data needs protected and in which manner. Then we identify the placement of Personal Data (personal data is any data that directly or indirectly identifies a person in the EU) and also who has access to such data and who the data are shared with.
Based on these actions, it is possible to classify data according to the level of sensitivity and to identify people who are responsible for checking and processing these data.
Step 4 – Data prioritization
When working with data and applications, the top priority should always be protection of user privacy. When it comes to the most sensitive types of data or applications, companies should always ask themselves whether they really need this information and why. This is because such data have the greatest value for hackers, for instance, and so are exposed to the greatest risk of theft or misuse. Companies should therefore create a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies and evaluate data life cycles from their creation to their destruction. The results of the analyses serve as inputs for implementing process and technological solutions, which ensure the protection of personal data to the appropriate degree.
Step 5 – Securing secondary data
In addition to securing the most sensitive data, in step five it is also important to assess and document secondary risks, with the aim of determining the company’s vulnerable aspects. During this process, it is necessary to maintain a Road Map of the process and to identify how and when the company plans to resolve pending risks. Among other things, this activity shows if a company actually takes GDPR compliance seriously.
Step 6 – Repeat process
The final step is to assess the results of the previous activities and eliminate any deficiencies, make adjustments and update data or procedures. Once this process is complete, other priorities should be set and step four repeated.