If people entrust your company with their personal data, it is your responsibility to protect it. GDPR provides a good framework even if it doesn’t apply in your geography.
Below is a list of things you can do in no particular order which I use as a cheat sheet when I start up a data protection programme in a company.
Make an inventory of all personal data you hold. Know (and document) what and how you collect, why you collect it, who you share it with and where and how long it is being stored.
Honour the rights of individuals
Develop comprehensive processes to support data subject access requests (right to be informed through consent and notice, right to access and data portability, right to erasure, etc.).
Privacy and security by design
Make privacy, compliance and data protection considerations during product development with regular review and testing. Minimise and don’t store beyond necessary.
Technical security measures
Implement technical controls to protect customer data, for example access control, encryption, logging and monitoring.
Processes for breach response
Establish an end-to-end incident identification and response process to handle security and privacy incidents as part of the broader security strategy.
Awareness and training
Provide data protection and privacy training for staff. Extra points for regular bespoke education and awareness sessions addressing topical issues.
Data Protection Officer
Appoint a data protection officer and get legal support. Perform data identification and classification. Make conducting privacy impact assessments on new projects a habit. Involve relevant stakeholders.
Get on top of data protection addendums to agreements, vendor management, client consent management and cross-border transfer agreements.