1. Conduct a data inventory and mapping exercise. It’s vital to know how
personal data is entering your organization, where it’s being stored,
who it’s being shared with, and when it’s being deleted. Remember to
think of personal data broadly. It’s more than just credit card numbers
and national ID numbers. Rather, it’s any data related to an individual
person or created by them.
2. Establish your legal grounds for processing. There are six legal
bases for processing the personal data of people in the EU. Consent is
just one of them. You might find that you have a contracted relationship
with your members you can leverage. Regardless, work with privacy
counsel or consultants to figure this part out. If you can’t establish a
valid reason to process, make it stop.
Data is now as much a risk as it is an opportunity. GDPR says you need
to delete data once the purpose for which you’ve processed it has been
3. Create a data governance system. Create rules for who can handle and
who has access to personal data. Follow them. Have a plan for how to
delete information you’re no longer using, as it now represents a
significant risk to your organization.
4. Create a process for privacy impact assessments. This is part of a
process called “privacy by design.” Every time you think up a new
product or service for your members that might include the use of
personal data, make sure you apply a process that examines which
personal data will be used, how it will be used, and what the legal
basis for processing that data is.
5. Understand how long you’re going to keep each piece of data and why.
Sure, storage is cheap, but data is now as much a risk as it is an
opportunity. GDPR says you need to delete data once the purpose for
which you’ve processed it has been completed. And if you’re keeping
data, you need to have records to show what legal right you have to it.
6. Update your privacy notice. Tell people exactly what you’re doing
with their data in clear and concise terms. Do only what you say you’re
going to do. And make sure to appoint a data protection officer and let
people know how to contact that person.
7. Figure out how to accommodate data subject rights. Your members in
the EU now have the right to see everything you hold about them, to
correct what’s wrong, and even in some circumstances to ask you to
delete that data. Can you produce a member’s record on demand?
8. Create a data breach response plan. GDPR demands that you notify your
European regulator (you might have to figure out who that is) if you
have a significant data breach, within 72 hours of discovery. Could you
9. Establish solid contractual agreements with your vendors. If you’re
sharing data with anyone—a company that supports your technology
systems, for example, or that helps you put on a tradeshow—make sure you
have a contracted relationship so that you and your vendor both have
the same understanding of what can and can’t be done with your data.
10. Identify and contact your supervisory authority. As mentioned above,
even if you don’t have a physical location in the EU, you still have to
identify a lead regulator in one of the member states if you’re doing
significant business with members or other customers in Europe. Call the
regulator and tell them who your data protection officer or other point
of contact is.
All of this can be paralyzing for some organizations. But the first step
is simply to start. Organize stakeholders. Create a plan of attack. And
turn to your colleagues, including the community of privacy