I have to agree with Mr. Lahiri of Egnyte that a good attitude is key to assisting with GDPR compliance.
There is a lot of negative press around GDPR and a lot of scaremongering. The reality is that there are a lot of unknowns in GDPR; and yes some of the obligations are cumbersome, but that's not a reason for paralysis.
The key guiding principles of GDPR are awareness and accountability. Those are reasonable concepts when you are dealing with someone's personal and private data. You should know what data you are collecting about people. You should know why. You should keep it secure. You should let people know what you are doing. You should not keep it for longer than you need to and you should not spam people with marketing materials they don't want.
This is really the crux of GDPR and it's fair enough. In order to be able to answer all of those questions, you need to know what you are dealing with. My advice is to get that project team together and start gathering information on the personal data you hold asap. Your advisors can't assist you with GDPR compliance projects unless you know what you have in the first place. If you don't need it - get rid of it.
I've included the link to our checklist outlining the main actions organisations should be taking on their GDPR compliance journey. I cannot say it enough the main action is to start.
This checklist cannot deal with all aspects of GDPR compliance as this will depend on the individual organisation and the personal data it holds and processes, for example, the checklist does not deal with children’s data, specific processor obligations and other important areas that arise under GDPR. It is a guideline document only to help organisations get started and it is the minimum steps that we would expect to see an organisation taking to become GDPR compliant.
To access the checklist click here
As for general recommendations, Lahiri’s first and last steps towards compliance are the same: people. Whether it’s assigning a DPO or offering data protection training to staff, education is crucial. Lahiri added that the data protection team should be cross-functional, with diverse and varied skillsets. He concluded by explaining that organisations will have to re-evaluate how they collect and use data. “GDPR expects you to use a lot of data minimally. People have happily taken as much information as they could whether they needed it or not. “GDPR has challenged this –just take what data you need for your processing, not everything under the sun.”