GDPR best practices in 7 steps
The European Union’s General Data Protection Regulation, GDPR, is completing its first month as an enforced law. A lot has been done to make IT companies compliant with GDPR, however, it is just the beginning. Although it applies only to European citizens GDPR rules imposed a new reality in the world and all the efforts made to achieve compliance to this regulation can be lost if organizational practices and infrastructure are not maintained.
Knowing that what matters is not only to become compliant but to stay complaint we prepared a checklist of the most important tasks to keep your company following GDPR:
2- Keep your staff trained
Despite all technologies applied to protect data the most important link in the chain is still a well-prepared staff. Make sure that any new employee is aware of GDPR, its importance, the rights of users and internal data security policies. Organize periodical training about the most important procedures necessary to protect data and to respond to users’ requests.
3- Exercise your data breach plan
Data breaches are events that all companies want to avoid. However, it is important to be ready to act correctly if it occurs. To know if your data breach plan is well understood by your staff and everybody will follow the plan it is important to evaluate periodically some points like:
• Employees know where to find data breach report forms?
• They know how to fulfill the forms?
• Who must be informed of data breaches?
• Who is responsible to communicate with users when these events occur?
4- Keep your data inventory updated
You must always be prepared to explain how the personal data are being collected, used, and if necessary edited. You also need to be prepared to respond to requests of erasure and portability of personal data. To do this a data inventory must be maintained. Don’t forget to take into account data stored in backups, they contain personal data that must be erased when “right to be forgotten” is claimed by a user.
5- Maintain security infrastructure updated
We all know technology is continuously evolving, keep in mind that it applies to both security safeguards and security threats. For this reason is essential to maintain security measures like encryption algorithms and authentication technologies following industries best practices. A good tip is to use a host platform that is GDPR compliant, this will save efforts to keep infrastructure updated regarding new security technologies.
6- Ensure that third-party vendors are compliant
If a third party is processing data in your behalf, make sure they have a data protection program and that it is being followed. Remember to sign a DPA (data processing addendum) with all data processors and maintain a list of used third-party vendors updated and accessible to the public.
7- Maintain adequate protections if data is being transferred outside EU
If any personal data collected from EU citizens are being transferred outside EU you need to make sure that the level of protection is not reduced. European commission listed some countries that provide an adequate level of protection, however, this list may be modified over time. Remember to check the list of countries with the adequate level of protection when data is being transferred outside EU.