GDPR is an important regulation but as I have stated in earlier posts, even if the EU is encouraging compliance, there are no norms, certifications or best practices available to direct you, at least for now. One of the most commonly asked questions is: where do I start? Here are 7 things to consider.
1. Is this information related to GDPR or not?
The first thing to consider is this new regulation is quite restrictive, it only addresses personal data. Therefore, data processing, data capture, data exchange and data storage will have to be sorted out. So ask yourself: is the information impacted by GDPR or not? Once the data handled is defined as related to GDPR, there are several aspects to cover:
2. Is the data necessary to the process?
Limit the use of data by only providing it for the processing step that is necessary and no more. What information is absolutely required for each step? The less information you share the better, so try to minimize it.
3. Who needs the data?
What are the organizations and the processes and who are the people that need to access the data? If they have a business or contract need, they should have access. Otherwise they should not.
4. Has an accurate data handling process been defined and implemented?
Has the agreement been made clear? Which field is OK to share and which one is not?
5. How long should I store the data?
Is there a business rule or a mandate to keep it longer than the business transaction that created it? If so, what is the maximum duration required/authorized? What rule should be implemented to delete the data in due time?
6. Is pseudonymization or anonymization possible?
Pseudonymization replaces personal data with encrypted data (the pseudonym) using an algorithm that always calculates the same pseudonym for a person. Anonymization irreversibly destroys any way of recovering the original data. If either are possible, this is preferable. Otherwise, data should be encrypted to maintain data integrity and confidentiality.
7. What can I do to make investigating new use cases easier?
Write a ‘code of conduct’ and systematically use it when new use cases come up to ensure consistency. Test and analyze the efficiency of these processes.
Learn more about European data production here.