Notice that the title does not say 10 "Easy" Steps! There is nothing easy about compliance in general and the GDPR specifically. Far from it. However, these ten (10) steps have been vetted in other compliance regimes (e.g. HIPAA) and have proven robust. Further, the reader should note that the title says "Launching" and not "Completing."
You can get your GDPR initiative "off the ground" with these steps but you are far from done. In fact, as anyone who has ever seriously tackled the compliance challenge (under any non-trivial regime), you know that you will never be done. Although many are the poor souls that have been fooled by a "once and done" strategy.
(1) Gather data landscape/data audit/data inventory: find and analyze your personal data ("PD"); without an inventory of your PD you are likely to incur the wrath of the Supervisory Authority (more than you otherwise would) when (not if) a breach occurs. Without an inventory of your PD you are in willful neglect land; subject to the steepest penalties.
(2) Develop, review, and distribute policies: this is such an obvious win BUT so many companies neglect this aspect of compliance. You need to have a clear understanding of your internal policy objectives and be able to communicate that to your employees. Obviously, you need SO much more, but policies are foundational.
(3) Understand a Data subject’s bill of rights & processes: the GDPR establishes "fundamental rights" for Data Subjects. In the U.S. this would be like freedom of speech or freedom of the press. We don't pay THAT much attention to privacy in the U.S., although after the Facebook debacle that may change. However, make no mistake, the GDPR is deadly serious about a Data Subject's "constitutional rights."
(4) Perform Risk Assessments on high-risk personal data (“PD”) Processing: in the HIPAA universe Risk Assessments suckup all the compliance oxygen in the room. They are STILL important under the GDPR but qualitatively different. First, under the GDPR the assessment of risk is performed from the perspective of the Data Subject; not the organization. Second, you don't need to do it in all cases, only "HIGH RISK" use cases (whatever that means).
(5) Identify low hanging fruit & pick it: encrypt; encrypt; encrypt!
(6) Create a GDPR compliance repository: you need a "single version of the truth" space where you store your compliance documentation and it should be secured yet visible to the organization (e.g. an Intranet).
(7) Implement the necessary safeguards: you are now in the security controls business. You need to implement a set of controls that will protect PD. Without controls policies are nothing more than flowery language; they remain important but ONLY to the extent that there are processes and controls that underpin them.
(8) Train your staff: again, like policies, this step appears so obvious and yet it's often overlooked. EVERYONE needs some basic GDPR training; without exception. GDPR is an organization wide challenged, not just an information technology challenge.
(9) Prepare for Breach notification: GDPR introduces breach notification into the EU for the first time. It will quickly become the 800 pound gorilla.
(10) Katrina proof your disaster recovery: ultimately this is the practical objective you should have in mind when considering how to protect PD. Ask the question "Would our PD survive Katrina?"
