I recently attended a workshop hosted here in Houston by TrustArc. They have a few more going on the rest of this year, schedule here. Surprisingly, it wasn't sales-y at all and really gave some great information. I wanted to share out the slides from the workshop and some notes I collected.
Slide 10: GDPR effects data stored in the EU, not just EU data.
Slide 15: Databreach warning is applicable to customers OR anyone in your system with personal data.
Controller - you own the data, you use the data. ex. customers, employees, collect IP address & cookies - you're the controller
Processor - your vendors, people that use your product through partners, customer's customers, etc.
Need to document your status on all data you have.
Slide 16: "Adequacy" also depends on each country within the EU.
*Binding Corporate Rules* Not 100% sure on what this is, but it seemed like you want to get it in place.
Document how you transfer data and where it goes and who touches it.
Slide 17: I found this interesting. Service cannot be conditioned as consent unless necessary for the service. So, this seems to cover the email sent to a user to set up a password, but does a warning email about scheduled maintenance necessary for the service?
*Can't pre-check the consent box. They have to take action to give consent.
Slide 19: Carefully look at retention and distruction timeframe. "Undue Delay" is not defined.
"Automated" means you have to accommodate an automated way for a person to request their information to be removed.
Slide 21: Data Protection Officers were highly recommended. They can be outsourced.
You must have a privacy impact assessment program for any "high risk to rights and freedoms" from processing and may be required to consult with your regulator.
A lot of this "High risk" data is usually surrounded around genetic and bio metric data - not too common for B2B marketing.
Slide 23: Breach notification standards: 72 hours after awareness
Slide 26: You can be asked for your data inventory by regulators of GDPR. You have to have it unless you're under 250 people.
Slide 31: Great slide to help you start listing all the buckets your data goes into and all the sources it comes from. (Ex. Content Syndication, Integrate, Marketo, Datafox, Ringlead, SFDC, BrightTalk/GotToWebinar, etc.)
Slide 37: Provides a mock up of how you would map out data collection, storage, access, and transfer within excel. Again, this company also has a tool to do this. You can basically take a survey and it fills it out for you. However, I suggest you have a DPO, or legal, or a compliance officer review and add detail.
Slide 39: Data Mapping - can be really simple, and not even required. You just need it documented in some fashion.
Slide 47: DPIAs are required for controllers, PIAs are required for processors.
Document everything about the data you collect, access, use, store, and transfer. I think that's a tough project to start and probably best to have your C-Level start with reviewing and understanding GDPR - then have a person in charge of documentation. Then, that person then contacts the head of every department in the organization, and so on until every employee submits their version of data processing. Then it's collected and reviewed by the person in charge of documentation.
I am no expert, and please don't take counsel from me. I'm just sharing information I collected from a workshop.