Checklist to get ready for the GDPR

It’s less than a year until the European General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. As we shared earlier, the GDPR raises the bar for privacy rights, security, and compliance. And it applies to a sweeping range of organizations all over the world—anyone who collects and stores personal data about EU citizens.

Complying with the law’s 160+ new requirements will take time, tools, process, and expertise across your entire business. You’ll likely need to make significant changes to the way you protect, store, manage, and communicate about personal data. You might need to roll out new software. You’ll certainly need to roll out new business processes. And you’ll need to do it all before the deadline or face hefty fines.

Here’s a quick checklist to help guide your journey. It’s based on a 4-step process that Microsoft put together, and we’ve added key questions to answer at each phase.

Step 1: Discover

Start by looking at what you’re doing now. Identify and document what personal data you have, where it’s stored, and who uses it. If you haven’t already, you should appoint a data protection officer to lead this discovery (this role is required under the GDPR if you have more than 250 employees). You should also partner with legal, technical, and policy expects who can walk you through the process. Some questions to answer:

  • How does the GDPR apply to your organization?
  • What data do you collect?
  • Where does it live?
  • Why do you collect it?
  • Do you need to collect it?
  • Do you share it with others?
  • How long do you keep it?
  • How do you currently seek user consent?

Step 2: Manage

Next, you should put processes in place to govern how you use personal data. As part of this, you might need to adopt new technology to automate your processes. But you should also plan to update business processes, too. Some questions to answer:

  • How will you respond to all personal data requests?
  • How will you classify data to make it easier to find and respond to personal data requests?
  • What will your employees need to do differently here?
  • How do you train employees to properly store and manage data?
  • How can you be sure you’ve erased data everywhere when requested?
  • Can you put any technology in place to automate some of this for you?
  • What business units will be affected? What business processes might have to change?
  • Have you documented your processes here?
  • Do you have a way to regularly test that these processes are working?

Step 3: Protect

Here’s where you set security controls to prevent, detect, and respond to data breaches. Some questions to ask:

  • Are you doing enough to safeguard personal data? Can you do more?
  • How do you detect vulnerabilities and data breaches?
  • How do your partners and suppliers protect your data?
  • Do you have a way to regularly test your response to any issues?
  • How will you notify users and authorities when there’s a breach?
  • Have you documented all of your processes here?

Step 4: Report

Last, you should document everything and manage data requests and breach notifications. Some questions:

  • How do you notify users about your privacy policy?
  • Will you need to update the wording of these policies?
  • How will you respond to data requests from your users?
  • Do you have a way to regularly test that these processes are working?
  • Have you documented all of your processes here?

For more, see the white paper from Microsoft: Beginning your GDPR journey. It connects the dots around how Microsoft technology can help you address the requirements of the GDPR.

How we can help

To accelerate your compliance with the GDPR, we can help move you to the Microsoft cloud. We’ve been doing migrations for nearly 25 years and are exclusively focused on moving organizations to Microsoft platforms. Our commitment to you is that we can deliver even the most complex migrations on an aggressive schedule—all without disrupting your users. See more about how Binary Tree can help you transform to Office 365.