1. Get a basic understanding of what GDPR actually is
Right now, you just need to get a sense for what GDPR is all about.
Don’t get bogged down in the detail.
Get to know what the high level principles of data protection are, and the rights that individuals will have under GDPR.
Given the number of ‘experts’ and ‘solutions’ out there, choose your source of information carefully.
You can’t go too far wrong by looking at what the data protection authorities advise.
2. Write down what your organisation does with personal data
I don’t mean a comprehensive and complete data inventory, or a document worthy of ISO accreditation.
I mean open an Excel spreadsheet (or find a blank whiteboard) and start writing down the types of things your organisation does with the personal data of customers, employees and any other groups of individuals (e.g. suppliers, prospects).
Even just for 30 minutes, think about:
- How you get the data [Gather]
- Where you store it [Store]
- What you use it for [Process]
- Who else you give it to [Disclose]
- How long you keep it and/or when you delete it [Retention]
Perhaps you don’t think you do anything with personal data. If you employ one person or have one customer, you are wrong.
- You pay them
- You recruit them
- You review their performance
- You maintain a HR file about them.
- You sell to them and they pay you
- You call or email them
- You make notes about them
- You do marketing to target them.
It’s tough to do any of these things without some element of personal data.
3. [step 1] + [step 2] = [step 3]
Think about what you do with personal data (step 2) and consider the principles and rights of data protection (step 1).
Are you confident that everything you do (step 2) is aligned to data protection regulations (step 1)?
What are the obvious gaps?
Now, start doing something to close these gaps. Get on with it.