Your GDPR Journey, Step 4: Report

Along with setting new standards for data privacy, the General Data Protection Regulation (GDPR) also raises the bar for transparency, accountability, and record-keeping. Not only might you need to be more transparent about how you handle personal data, you should also actively maintain documents that define how you use this type of data. Plus, you should be ready to handle ongoing data requests from users and to notify people if there’s a breach.

GDPR Compliance | Binary Tree

Keep the required records

If your organization processes personal data, you’ll need to keep records about these things:

  • Reason you process a piece of data
  • How you classify personal data
  • Which third-parties have access to the data and why
  • Organizational and technical security measures
  • How long you keep the data

One way to get there is to use an auditing tool, which can help ensure that you track and record the moment anyone in your organization (or your partners) touches a piece of personal data. This could be at any point where you collect, use, share, or handle it in any way.

Handle customer requests

This one’s a biggie. Under the GDPR, residents of the EU have more control than ever over their personal data. For example, they can:

  • Choose not to let you gather data about them at all
  • Ask you to show or export the personal data you have stored about them
  • Ask you to delete their personal data across your organization

These are rather comprehensive requests. For example, if someone asks you to delete every piece of data you have about them, would you be confident today that you could do that easily across your entire organization? If not, you need the right tools, processes, and people in place to be ready to field these requests—within a relatively tight time frame.

It all comes back to strong data governance, which we’ll be talking about more in upcoming blog posts. Depending on your organization, the GDPR might require you to appoint a data protection officer (see articles 35, 36, and 37). This person should be involved in all things personal data, and they can help you set up the data governance plan and processes to handle customer requests and more.

Notify data subjects

Last up, the GDPR has tighter rules about what you need to do if there’s a data breach. First, you should notify your data protection authority within 72 hours. Then, if the breach poses a high risk to the rights and freedoms of your users, you also need to notify the affected people as quickly as you can (with no undue delay).

These are the types of reporting capabilities you should set up:

  • Cloud services (processor) documentation
  • Audit logs
  • Breach notifications
  • Handling data subject requests
  • Governance reporting
  • Compliance reviews

Need help with the GDPR?

We at Binary Tree are doing our part to help our clients protect the privacy of their own customers. We do that by helping you move to the Microsoft cloud, which Microsoft has committed will comply with GDPR by the deadline.

Microsoft products and services make it easier to detect and assess security threats and breaches. They also come with built-in reporting tools to help you meet the GDPR’s breach notification obligations.

Plus, Microsoft has committed to helping you respond in those times where they share some (or all) of the responsibility. They’ve set out a detailed process around how to manage security incidents. And they back up their GDPR commitments in their contract language.

To get started, get in touch. We look forward to partnering with you on your GDPR journey.

 

Source: Microsoft, Beginning your GDPR Journey, May 2017.