GDPR is no secret. Most people will be aware of the upcoming changes to the UK’s data protection regulations, but what they may not be aware of, is what the new General Data Protection Regulation (2018) will mean for businesses. You only have until May 25th to make sure you’re compliant, so it’s important to understand how it effects you. If you haven’t already done so, it is essential that you start preparing for these upcoming changes, as failure to do so could lead to serious repercussions. However, knowing where to begin can be daunting, so here are a few tips to help you know where to begin:
1) Be Organised – Organisation is key, knowing what information you hold and how you store it can make the whole transition to be complaint with GDPR easier. The General Data Protection Act will see major changes brought about regarding how you manage and store an individuals information, and the rights the individual has over their own data. So, in order to be compliant you need to be able to tell individuals exactly what information of theirs you have, where it is being and stored and if they request it, you must delete or destroy any data that they do not want you to have. Knowing what information you hold will also help determine any extra permissions you might need. For the first time, GDPR will bring in special measure to protect the personal data of children, so you may need parents or guardians consent to process their information.
2) Update Policies and Procedures – Since GDPR gives individuals more control over their personal data, you might need to put a system in place that helps handle any data protection requests, if you don’t have one already. This includes creating a plan to process with request efficiently, and within a given time scale. Once a lawful basis for your processing activity has been established, make sure it is documented and contained within your privacy notice so that people can easily access this information if they wish to do so.
3) Consent – If your existing consents do not meet the GDPR standard, you need make sure you refresh them now. This means that consent must be given freely and unambiguously. Individuals need be able to make an informed decision about what they are actually consenting to. They must specifically opt-in, meaning you cannot accept silence as consent, nor can you trick people into giving it in the form of pre-ticked boxes and forms.
4) Protection by Design and DPIAs – GDPR now makes protection by design a legal requirement, in addition to make ‘Data Protection Impact Assessments’ essential in a given situation. You should familiarise yourself with where a DPIA may be required now, to ensure you’re complaint by May 25th. Examples of require circumstances would be the deployment of a new technology, or mass processing of special categories of data.
5) Data Breaches and Protection Officers – Under GDPR, all organisations must report certain types of Data breaches to the ICO, so it is essential that you have a procedure in place to detect, report and investigate any data breaches that could potentially occur. The best practice approach with GDPR is to be well informed, and prepared for the worst. Making a person within your organisation responsible for GDPR can make this process go a lot smoother. It is important that this person is well clued up on GDPR, and understands what their role entails. In some situations, you are required to formally dedicate a Data Protection Officer, so you should find out if your business is required to do this as soon as possible.
Of course, this is just covering a good starting point for GDPR compliance, and there is still much more you may need to look in to. Particularly if your business operates in more than 1 EU member state, there may be extra legal obligations placed upon you, so you should find out about these.
Remember: be organised, open and well informed, and you’re well on your way !