The clock is ticking and May 25th is now less than a month away…are you GDPR ready? If you read my blog post last year about GDPR, then you should already be familiar with this new legislation. But have you prepared? The two-year grace period is almost over, and with steep penalties for compliance, if you haven’t prepared yet, you still have time.
There is a lot to learn and understand and if you haven’t yet started your preparations, it can seem pretty daunting. We have put together some information for you to help you take the first step. Even if you have already taken the first step, this can also serve as a tool to ‘check your work.’
As you already know, the GDPR requires that you provide, upon request, any data stored about an EU citizen regardless of their domicile. You likely have numerous systems on campus or in your department that store personally identifiable information and it will be your responsibility to pool all the information you have into one document for the requestor.
Below is a graphic to assist you in the process of determining what you need to do to prepare for GDPR.
First, take an inventory of all the locations where personal data about any contact may reside or transit. To do this, you may want to start a document on which you brainstorm and list all the places you can think of where this may occur and remember that it is hard copies as well as electronic copies. What software do you use? What documents do you create? What do you print out? All of these will likely have some sort of data for which you may be responsible.
Next, document how personal data is used and stored. Is it on a server, in a file drawer, an email? If you build upon your inventory, noting how data is used for each ‘where,’ you can build a fairly sizable list of targets on which to focus.
Of course, consult with your legal team or DPO (designated protection officer). Take your list with you and get advice on what you may need to do with these systems and documents. Find out what are your obligations and what changes you may need to make to the way you communicate internally and externally to be in compliance.
Finally, plan for how you will respond to a “subject access request.” Should an EU citizen make a request of you, you have 40 calendar days to respond. What will that response look like? Who will compile the report? How with the report be complied? How much time will it take?
The old adage ‘the way to eat an elephant is one bite at a time’ couldn’t be more applicable than to GDPR preparation. You probably have a lot of data in a lot of places, but if you break down the process into smaller bite-sized pieces, you will soon find it is much less harrowing than when you look at it from a birds-eye view.