GDPR compliance guide: Best practices for data protection

The European Union’s General Data Protection Regulations (GDPR) went into effect in May 2018, and 10 months later, it’s a good time to revisit these sweeping changes.

You may remember the buildup, and how most of the fanfare focused on the customer and vendor implications. But the legislation doesn’t just affect consumer-oriented data—it has an impact on employee data as well. Even if your organization doesn’t have an EU location, if you have employees in the EU—and they don’t even have to be EU citizens—you may face fines for noncompliance in the event of an audit by a supervisory authority.

So as we near a year into GDPR, it’s not about getting compliant; it’s about _ staying _ compliant. Here are four insights to keep in mind as you navigate data administration at your organization.

Successful organizations aren’t stagnant, so every new project or initiative you take on will likely have repercussions on your privacy policies and compliance—especially if user data or data involving people is involved. With each new initiative, it’s important to perform privacy impact assessments. And as your company’s overall strategy evolves, so must your privacy strategy. This means reviewing your privacy policies at least annually, and updating them as appropriate, such as when your company makes substantial changes to how it handles personal data.

Whether you’re conducting a regular privacy impact assessment or an annual policy review, your organization should be:

Your organization should keep a record of all activities carried out involving the use of personal data. When there are new projects that involve personal data, there should also be an update to any registers or systems that record your personal data processing activities. Whether maintenance is done on an ongoing basis or scheduled quarterly, up-to-date records of your processing activities are necessary in the event of an audit by a supervisory authority.

Your organization’s role in handling data—either as a data processor or data controller—affects how and when any breaches are to be reported:

The key is having clearly defined internal processes in place to ensure that breaches are reported thoroughly and on time. Test your processes, then test them again.

Even if your organization has robust data protection procedures in place, if your people aren’t prepared to adhere to them, you could be at risk. Systems and IT-based controls may provide some mitigation, but an employee misplacing a device or not properly destroying sensitive paper records could likely trigger a data breach.

Training is key, and it should include lessons on data security in general and the GDPR in particular. And because threats are always changing, a regular information security training schedule is advised—at least twice a year if possible. Everyone in the organization should be included in training, because keeping your data secure is everyone’s responsibility.

You may think you’re in the clear if your U.S.-based organization’s data doesn’t fall within the scope of GDPR. And that may well be the case—for now.

But there has been growing support from U.S. tech giants for federal laws governing how companies protect user data. Cisco is the latest, joining Apple and others, with the company’s top lawyer recently calling current the U.S. data protection framework “not adequate.” As more influential companies begin to push for change, federal regulators and lawmakers may be more inclined to take note.

Do you have questions regarding the impact of GDPR on your payroll and HR processes? Contact us today to learn more about steps your organization can take for ensuring compliance.