Time passes quickly, and there is less and less before May 25th is finally here and the new GDPR regulation becomes effective. You don’t have to have completed all the adjustments by that date, but you must have already begun to implement the necessary measures for compliance.
Let’s try to take a few steps forward on this path of adjustment.
You must know where you’re coming from to understand where you want to go.
This aspect is often underestimated or taken for granted.
To do everything that is required by the GDPR, you must understand your starting point so you will be able to determine what is lacking before you can be considered “compliant”, as well as which aspects you must act on. Are you at 30% or 70% on your path towards compliance? Do you already comply with the rules of the GDPR, or are you far from it?
Without this information, it is difficult to know where to start from.
Think about it carefully; just like when you bake a cake, the first thing you do is make sure you have all the ingredients and only after doing so can you start cooking.
The time has come to make your shopping list and find out how many ingredients you are missing.
To help you with this task, we have created a list of questions that may help you. Here are the first 10:
Do you process personal data?
What kind of personal data do you process?
Are you able to identify physical, virtual and/or logical locations where the data is collected and stored?
Considering the purposes of your processing, are you really sure you need all the personal data you have?
Considering how personal data is the true focus of the Regulation, we must absolutely start from this element. Knowing what kind of data you process is not only important for identifying the most appropriate security measures, but also helps you understand if there are special categories of personal data involved in your processing activities.
How do you process the personal data?
For what purposes?
Do you perform profiling activities on individuals in any way? If so, are you able to establish motivations and implications?
When you collect personal data from the interested parties, do you provide them with an informative note and specify their rights?
If an interested party wants to know what information you have about him, are you able to handle this type of request?
And are you able to handle all the requests that the interested party could advance, in line with his rights?
When you know what kind of information is in your possession and where it is stored – and this could be a difficult step – the next step is to clearly establish what you do with this data and especially why you process it.
This implies making a list of all the activities performed with personal data. Obtaining information about the processing also means mapping its management process, a very useful task especially when the interested party makes legitimate requests, such as deleting their data or making it accessible.
We know quite well that answering these questions is not a matter of a few minutes!
But we assure you that they are a great starting point, especially if you don’t know where to start to prepare for the GDPR.
Next week we’ll give you the other 10 questions, providing you with a big picture that you can both reflect and above all act on!
Obtaining an overview that lets you “map” people, roles, skills, procedures, tools and documentation will save you a lot of time later.
And don’t forget, Microsoft Dynamics 365 CRM is a valuable ally for all of this!