This is my third blog post on the European Union’s General Data Protection Regulation (GDPR). For basic information about GDPR and why U.S. businesses need to watch out for GDPR, see my first blog post in the series. Or to see what GDPR says about information security requirements, see my second post.
What is the first thing your business should do in taking steps towards GDPR compliance? The short answer is you should assess your current privacy and security program.
More specifically, you will need to understand your organization, its business context, its culture, and the types of personal data it processes. You will need to understand in a detailed way what kinds of personal data the business is collecting and receiving, how it uses personal data, its practices in sharing and transmitting personal data, its retention of personal data, and its disposal of personal data. Your business should understand its entire personal data lifecycle and where personal data flow through your business’s systems. You need to assess the strengths and weaknesses of your current data protection program. Once you have made this assessment, you can plan future steps to enhance the data protection function within your business. You can then assess its effectiveness and make improvements.