Data Protection law is changing on 25 May 2018 and all organisations need to be ready for the General Data Protection Regulation (GDPR). All businesses are different so there is no one set solution which means that companies should work to assess their own data collection and storage practices and establish what they might need to do to become or remain compliant. We have a few tips and suggestions on what you need to do.
The new regulation is designed to give EU citizens and residents more control of their personal data. The GDPR will apply to any business that processes the personal data of EU citizens. (this includes those with fewer than 250 employees). NB Personal data includes customers, suppliers, partners and employees.
Assessing Your Data
There are three main areas to review:
- Start by looking at what personal data you business might collect or keep? Next consider how that personal data was obtained and what consents were obtained to use that data. Also did those people know of their rights to withdraw that consent or opt out?
- Is there a mechanism to review how long data is held? The new regulation looks to ensure that information is not being held for longer than necessary and that it is kept up to date
- The third are is to look at how safe your data is. Is it being kept securely using the right level of security appropriate to the risk? This can include things such as physical security, protection against hacking and levels of encryption for the data itself.
This will become your data audit. Record where all the personal data that your business collects comes from, and then note of how it is processed, used and who can access the data. Once all the information is recorded and analyzed, you’ll be able to determine what to keep, what to delete and what to encrypt. Act on your findings and revise operational areas or processes that do not comply, contact individuals to update consent from individuals.
Keeping GDPR Compliant
One of the key first steps to towards company-wide compliance is creating an awareness with all the employees of your business about the new data regulation. Organisation wide understanding will help ensure you remain compliant.
Look at how you collect new data and ensure that you are getting the right levels of consent that is commensurate with what you intend to do with that information. Your privacy notices need to show your lawful basis for processing the data, retention periods, as well as informing consumers that they have a right to complain. Be aware that the new regulation is looking for clear easy to understand consent processes and lengthy legal small print does not qualify, also has to be just as easy for an individual to withdraw consent as it is to give it.
Under the new GDPR, data subjects (consumers) will have the right to request information about their personal data from you. They will have the right to know whether their data is being processed, its whereabouts, and the reason for it. As a data controllers you will also have to provide a copy of the personal data, free of charge, should it be requested. They can also request that you delete it.
There needs to be a person who is responsible for reporting a breach of personal data to your local authority? If you suspect a breach has taken place who in your organisation needs to be notified?
More Assistance On GDPR
This is obviously a topic that needs serious attention from all companies and this guide will help you in the right direction. You will of course need more detail to become compliant and the information commissioners office is the best source for a very comprehensive guide to GDPR >>