Companies that do business in the EU (European Union) are scrambling to be compliant with the General Data Protection Regulation (GDPR) which goes into effect on May 25th, 2018. It can be a daunting task searching for all the various resources and articles available that will help one attain compliance. Here at SYNQ we have been working hard to get our processes and documentation GDPR compliant. Since we know other companies are going through the same process, we would like to share the resources we have gathered so far.
These are some key requirements and items you will want to have for GDPR compliance:
Right to Erasure and Right to Portability - This means a data subject has the right to request their personal data removed or transferred.
Data Protection Measures/Privacy by Design - This means that a company must have measures in place to ensure personal data remains secure as well as procedures/behaviors that lead to protecting personal data.
Personal Data Breaches Procedures and Notifications - This means a company has to have procedures in place for notifying data subjects if there is a security breach. Specifically companies should inform data subjects within 72 hours if there is a breach.
Data Protection Impact Assessments - A company should have a way to assess how a new product or significant change in an existing product will impact personal data.
Data Protection Officer - Some companies may be required to appoint a Data Protection Officer, especially if you will be doing a lot of processing of personal data.
Consent Forms - Data users must consent to what information they are willing to share and know how it will be used.
Awareness and Training - In order to be compliant a company must make their employees aware of GDPR and train them in best practices of keeping all data secure especially personal data.
DPA with 3rd party providers - For the various 3rd party providers a company uses where personal data could be exchanged, you will want to have a (DPA) Data Processing Addendum, this document is essentially an agreement that both parties will keep any personal data being exchanged secure under the guidelines of GDPR.
Personal Data Flow Mapping - As part of GDPR a company must know what personal data is being used, how it is being used and what controls exist when the personal data leaves the organization. Creating a flow map will help with knowing how personal data is traveling into and out of your product, it will also show you have an understanding of how your product uses that personal data.