With there now being less than a year until the EU’s GDPR becomes applicable you should be making serious plans to ensure you will be compliant on May 25 2018. We recommend a four stage approach that embraces:
- Discovery – identify what personal data you have and where it resides
- Management – govern how personal data is used and accessed
- Protection – establishing security controls to prevent, detect and respond to vulnerabilities and data breaches
- Reporting – executing on data requests, reporting data breaches and keeping the required documentation
We are going to look at all 4 of these stages in different blog posts. The first being GDPR discovery
The first step towards GDPR compliance is to assess whether the GDPR actually applies to your organisation, and, if it does, to what extent. This analysis starts with understanding what data you have and where it resides.
Does the GDPR apply to my data?
The GDPR regulates the collection, storage, use, and sharing of “personal data.”
Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. If your organisation has such data – such as in: customer databases, feedback forms filled out by customers, email content, photos, CCTV footage, loyalty program records, HR databases, or anywhere else- or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR.
Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR – the GDPR applies to data collected, processed, or stored outside the EU if the data is connected to EU residents.
Building your inventory
To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
To find out more, or to discuss your GDPR obligations, please contact us.