GDPR Compliance Doesn’t End After May 25

May 25, 2018
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

With GDPR going into effect, all companies should have at this point established some form of compliance program. While it may be tempting to think that your GDPR compliance efforts are now over, the reality is that the focus on compliance is just beginning. There are many activities that companies need to start doing to ensure ongoing compliance and confirm that your existing compliance efforts are performing as expected. In particular, there are four common things companies should keep in mind.

1. Monitor your ability to respond to privacy inquiries or privacy requests

All companies should have an email address or phone number—or both—for individuals entitled by GDPR to ask about their personal data processed by the company or who may make any privacy-related requests. Companies should also have enough staff and resources allocated so responses can be returned in a timely manner. For many companies, an existing support team will be handling this, and that support team needs to be prepared for any potentially intricate or involved questions that may be asked. Any new teams brought on for this purpose should be properly trained and kept up-to-date on GDPR compliance criteria.

2. Take an active role in vendor management

With so many companies moving to the cloud, third-party vendors have become a necessity. After May 25, companies need to ensure that their vendors continue to maintain compliance. Depending on the risk level and the amount of personal data handled, a written, documented plan should be created outlining the frequency with which vendors will be subject to regular compliance checkups. You also may need to perform ongoing verification of their ISO 27001 or similar security certification, review reports or more detailed documentation, or refer to some other agreed-upon mechanism to ensure that your vendors continue to maintain security and adhere to privacy principles.

3. Ensure every department is in compliance

It’s extremely likely that companies will need to start doing cleanups of the data obtained by various business functions—like HR, sales, and marketing. This data could include marketing contacts, information about former employees, or other potentially sensitive documents. Companies should have a plan in place to determine how frequently these cleanups will occur and who will be responsible for them. In some cases, companies will have already invested in automation, in which case all it takes is a regular checkup by the compliance or internal audit team. If a company decides to do this manually—which is more common for companies who want to do annual cleanups because the bulk of their contracts are for multiple years—then it needs to be established in advance who will be responsible for these cleanups.

4. Keep pace with industry and regulatory development

As a company’s business evolves, the scenarios for processing personal data might also evolve. Investments in new technology, newly acquired customers, or expansions into new industries are all things that your compliance team should be following very closely. In parallel, there will be the first regulatory proceedings, maybe even court trials, as a result of GDPR. Industry-specific GDPR codes of conduct may appear, and best practices will evolve and so will the overall compliance landscape. It’s hard to say now how developments in these areas could affect your business, but if your privacy team doesn’t stay up to date and take the time to put a plan in place at the right moment, you’ll be in firefighting mode when they do find out the effects.

Keeping these things in mind will go a long way toward ensuring ongoing GDPR compliance. By taking a proactive approach to addressing current ways of working, companies can help prevent issues from cropping up down the line.

Want to ask about something specific?

Contact us