Welcome. GDPR. The General Data Protection Regulation. What is it all about in English layman.
If you process (use, store, delete, manage) data (information) about EU Data Subjects (humans) that makes them personally identifiable ,no matter what the data is (photo, finger print, IP address, Name, passport number, you get the idea) then you need to look at it because it means you have new responsibilities.
If you don’t process this kind of data but others do on your behalf you still need to look into it. You both do. If you feel you still don’t have a responsibility let me ask you a question. Do you have employees? Yes? Then you do.
So where do you start?
Get by in from all involved. This is not a job for Sam in IT. Sam will be part of the process but it is not their Job. Not is it a Job for Operations, HR, Human resources, the post man, Finance or sales. Think of GDPR as health and safety for data. It is a process change, that involves all people.
If I were you, start here:
Understand GDPR. What does it mean for you.
Understand who your core team is.
Get a plan in place.
Use outside help where appropriate. The fine is €20m max or 4% of your global annual turnover. You can’t afford to get this wrong.
Understand what data you have.
Understand where it is, where ALL of it is, really!
Understand what risks exist.
Understand your data flows.
Understand who accesses this data, external companies and internal employees.
Understand what documentation exists and is missing.
Understand what training is needed.
Understand the specifics of all the above to the GDPR Articles. For example. What new rights do employees now have and how should they be notified and how should that be documented.
Do a GAP Analysis, this will set your ship in the right direction.