12-STEP ACTION PLAN TO PREPARE FOR EU GDPR COMPLIANCE BY 2018 Proacvely planning for the removal of data helps organizaons meet “right to be forgoen” requirements, while also decreasing the chances of being invesgated and fined by the Supervisory Authories. Conduct Internal Audit Conduct an internal audit of all data and asset management policies currently in place. Analyze and idenfy weaknesses and gaps that would leave your organizaon vulnerable to non-compliance with EU GDPR. Provide Proof of Data Removal Respond to customer inquiries in wring and show verifiable, physical proof of how and where customer data is removed if/when it is outdated or irrelevant. Deliver Customer Communicaons Publish and inform customers regularly and repeatedly about data processing methods and tools used. Publish and inform customers in wring of their right to withdraw consent to use/store their data. If and when any changes are made to data processing and management methods, publish and inform customers in wring. Incorporate Mobile Device Management If employees use mobile devices for work (BYOD program), create and communicate data retenon and BYOD resale policies to all employees. Make sure to create separate plans for “Choose Your Own Device” and corporate-owned devices. Collect Data Responsibly Set clear definions for all types and levels of profiling implemented by your organizaon. Drive Cross-Department Collaboraon Work with other departments across the enre organizaon to support their specific business needs/goals in relaon to data collecon, storage and removal. Implement Educaon & Training Build and distribute ongoing training (verbal and wrien) for internal employees across the enre organizaon outlining breach scenarios and causes, recordkeeping/monitoring best pracces and an overview of proper (and improper) data removal methods. Create a culture of security across the enre organizaon, regardless of individual roles/funcons. Appoint Data Protecon Officer Idenfy and appoint an internal team member as your organizaon’s dedicated Internal Data Protecon Officer (DPO). This person should be in charge of implemenng operaonal systems and IT asset management workflows, while also staying up to date with announcements and suggesons made by the ICO and other governing bodies. Monitor Risk Management Create a comprehensive risk management plan that includes management of data across the enre lifecycle – from creaon to storage to transfer to removal. This should include third party suppliers/vendors that may be used by your organizaon. Develop Incidence Response Plan Develop a wrien incident plan (crisis response) that can be enacted if/when data breaches occur. This should include customer response messaging, media response messaging, maximum response mes, expected melines and an outline of all involved pares and their specific crisis response roles/funcons. Remove Data Securely Securely erase data from electronics and IT equipment using a cerfied data erasure soluon that adheres to legally required overwring standards, such as HMG Infosec and DoD 5220.22.M. Make sure the soluon is approved by government agencies and bodies like NATO, Department of Defense, CESG, TUV SUD and DIPCOG, just to name a few. Create Wrien Documentaon Create and maintain a detailed register of all physical, virtual and logical places where data is held (including corporate, customers, employees and third party suppliers/vendors). Distribute and communicate all items in this list with all internal departments and stakeholders. 1 2 3 4 5 6 7 8 9 10 11 12
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
12-STEP ACTION PLAN TO PREPARE FOR EU GDPR COMPLIANCE BY 2018
Proactively planning for the removal of data helps organizations meet “right to be forgotten” requirements, while also decreasing the chances
of being investigated and fined by the Supervisory Authorities.
Conduct Internal AuditConduct an internal audit of all data and asset management policies currently in place. Analyze and identify weaknesses and gaps that would leave your organization vulnerable to non-compliance with EU GDPR.
Provide Proof of Data RemovalRespond to customer inquiries in writing and show verifiable, physical proof of how and where customer data is removed if/when it is outdated or irrelevant.
Deliver Customer CommunicationsPublish and inform customers regularly and repeatedly about data processing methods and tools used. Publish and inform customers in writing of their right to withdraw consent to use/store their data. If and when any changes are made to data processing and management methods, publish and inform customers in writing.
Incorporate Mobile Device ManagementIf employees use mobile devices for work (BYOD program), create and communicate data retention and BYOD resale policies to all employees. Make sure to create separate plans for “Choose Your Own Device” and corporate-owned devices.
Collect Data ResponsiblySet clear definitions for all types and levels of profiling implemented by your organization.
Drive Cross-Department CollaborationWork with other departments across the entire organization to support their specific business needs/goals in relation to data collection, storage and removal.
Implement Education & TrainingBuild and distribute ongoing training (verbal and written) for internal employees across the entire organization outlining breach scenarios and causes, recordkeeping/monitoring best practices and an overview of proper (and improper) data removal methods. Create a culture of security across the entire organization, regardless of individual roles/functions.
Appoint Data Protection OfficerIdentify and appoint an internal team member as your organization’s dedicated Internal Data Protection Officer (DPO). This person should be in charge of implementing operational systems and IT asset management workflows, while also staying up to date with announcements and suggestions made by the ICO and other governing bodies.
Monitor Risk ManagementCreate a comprehensive risk management plan that includes management of data across the entire lifecycle – from creation to storage to transfer to removal. This should include third party suppliers/vendors that may be used by your organization.
Develop Incidence Response PlanDevelop a written incident plan (crisis response) that can be enacted if/when data breaches occur. This should include customer response messaging, media response messaging, maximum response times, expected timelines and an outline of all involved parties and their specific crisis response roles/functions.
Remove Data SecurelySecurely erase data from electronics and IT equipment using a certified data erasure solution that adheres to legally required overwriting standards, such as HMG Infosec and DoD 5220.22.M. Make sure the solution is approved by government agencies and bodies like NATO, Department of Defense, CESG, TUV SUD and DIPCOG, just to name a few.
Create Written DocumentationCreate and maintain a detailed register of all physical, virtual and logical places where data is held (including corporate, customers, employees and third party suppliers/vendors). Distribute and communicate all items in this list with all internal departments and stakeholders.
1
2
3
4
5
6
7
8
9
10
11
12
Related Documents
