The question your company should ask is not, “Are we compliant?” Instead, it’s more effective to ask, “How compliant are we?”
GDPR is not a black-and-white regulation. One of the most effective ways your company can get started is to adopt a risk-based approach. By evaluating the risks in your existing data policies and internal data processing methods, you can address the highest risks first and increase your overall compliance. There are three key questions that will help you evaluate risks:
- What harm might come to this individual if his or her data gets into the wrong hands?
- What negative impact will insecure data processing have on this individual?
- How likely is it that this will occur?
The highest data risks in your company will be with sensitive data being used in unsecured systems. For example, if your company has a data breach and reveals all of your customers’ favorite ice cream flavors, the potential harm to each user is minimal. The stakes change, however, when you are revealing something like health information or religious views.