The General Data Protection Regulation (GDPR), which comes into effect in May 2018 (only six months from now) has been the subject of countless conference discussions, press stories, and company meetings about the challenges of compliance. The GDPR is a lengthy and complex read, and its requirements – ranging from detailed consent requirements to the need to conduct data protection impact assessments – can seem daunting.

What is often lost in the concern about specifics is that the most important change the GDPR represents is the shift in thinking it requires. The GDPR provides that companies change their mindset from one of “check-box” compliance to accountability. It requires that companies look holistically at the data that it collects and holds, how it processes it and protects it, and how it engages with data subjects to make it possible for them to access and correct their data and obtain recourse when things go wrong. Accountability takes into account the critical role data plays in all aspects of a company – marketing, delivery of products and services, understanding customers, accounting and payroll, outsourcing and customer care. It also reflects rapid advances in technology and data processing that will become part of all companies, if they have not already – software as a service, the cloud, data analytics and artificial intelligence.

Accountability can be reduced to five essential elements, each of which is reflected in the GDPR.

  • A company’s commitment to accountability and adoption of internal policies consistent with external criteria;
  • Mechanisms to put privacy policies into effect, including tools, training and education;
  • Internal, ongoing oversight and assurance to ensure that the steps a company has taken are effective and result in good privacy;
  • Writing and posting an understandable privacy policy and making it possible for individuals to access and correct data you maintain about them; and
  • A way for individuals to have questions answered and concerns addressed.

Recognizing this fundamental change is critical to companies’ successful compliance. Without question, individual requirements are important – companies must get the proper consents, write a privacy policy as provided for by the GDPR, and implement the appropriate level of security, just to name a few. But it is important to remember that compliance solutions need to create good governance across the company – GDPR compliance offerings that promise compliance based solely, for example, on the basis of obtaining customers’ consent, or through highly detailed data mapping alone will not carry the day. Compliance depends on good governance – and that means taking a long hard look at your company, your data and what you’ve put in place to mitigate risks to consumers.

 

Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.