In May, the new European data protection regulation (GDPR) will come into force. This fact brings enormous changes, both in the principles of privacy, and consumer rights. Adapting the company’s systems to the GDPR is vital, since non-compliance with the regulations will lead to high financial penalties, which could fall into to insolvency of the organization. Yes, they are much more severe sanctions than previous directives. However keep calm, we are going to give you the 6 key steps to prepare your systems to the GDPR. Are you ready?
GDPR: 6 key steps
The steps for GDPR are:
1) GDPR comprehension and awareness
Understanding the legal framework of the new regulation is fundamental for its compliance. Therefore, organizations may opt to hire a data protection technician so that he performs an audit and provides them with advice regarding the regulation and its implications.
But in addition to having a technician specialized in the legal and technological fields, members of the company also play a fundamental role.
Each company is different, and the road to follow in order to accomplish compliance with GDPR will be as well. Therefore, regardless of the characteristics of the organization, it will be paramount for all of its members to be committed to the new regulation.
2) Analysis of the impact of current data
It is paramount to analyze and evaluate all personal data stored by the organization. Identifying its origin and the reasons why it is stored, and verify whether it is really necessary to keep them all, since the more information one possesses, the higher the risk for data being hacked and, therefore, breached.
3) Special requirements for handling the data of underage persons
For the first time ever, GDPR will offer special protection to children. Therefore, any company or organization that offers online services to underage audiences will be required to obtain consent from their parents or legal guardians in order for the data processing to be lawful.
GDPR sets forth that since age 16 children may give their consent autonomously. Therefore, it is important for the way in which consent is requested to be expressed in a language that is suitable and comprehensible by minors.
4) Updating data security policies and procedures
It is important to review how consent is recorded and handled in order to verify whether it is necessary to make any changes for it to meet GDPR standards.
One of the key aspects of the new regulation is that both policies and procedures must be highly accessible and easy to understand, so that consent is given freely and specifically.
5) Data protection by design and by default
Even though it has always been a good practice to adopt a privacy outlook by design, now, with the new regulation, this becomes an explicit right. GDPR strengthens the position of European citizens since, as owners of the data, they own their privacy and therefore decide who, when and how their data is to be handled.
Additionally, now “protection by default” means that failure to take action by the user is interpreted as a failure to give his consent.
Here it is important to mention the data protection impact assessment (DPIA), which helps organizations identify, evaluate and/or minimize risks to privacy in certain personal data processing activities.
It is a requirement to perform a DPIA when the processing of data is of “high risk to the rights and freedoms of persons.”
6) Understand whether the organization will be affected
Once all aspects related to GDPR have been understood, it is necessary to determine to what extent the organization is affected. This depends on the nature of the company, whether it offers goods or services in the EU, or if it processes or stores data from European companies.
WSO2: your ally to face the GDPR
Once the impact, the consequences of non-compliance, the principles and the new consumer rights GDPR implies, you might be thinking about how you can adapt your IT systems as soon as possible to this new regulation.
The solution? WSO2. This software development company can become your greatest ally in the face of GDPR. So much so, that WSO2 is the technological provider par-excellence of major companies such as eBay, Motorola, Verifone, Transports for London, etc…
WSO2 Identity & Access Management (IAM), in conjunction with WSO2 API Management, are essential when preparing your company for GDPR, since they comply with the main characteristics of the new regulation: customer data privacy, control policies to safeguard user rights, and consent management. Their design is based on supporting digital transformation initiatives, connecting and managing multiple identities.
WSO2 Identity & Access Management
If you want to know more details about how WSO2 Identity & Access Management can help you to prepare your systems to face the GDPR, contact us, we are waiting for you!