12 (or 13?) Steps to GDPR compliance
Talk to your board – you have to have senior management buy-in, and approval.
Raise awareness – your wider staff cohort will need to be briefed about changes to the way they work, particularly if they handle personal data. Staff members who handle personal data are operators of your data processors and will be adhering to the regulation every day. A formal ongoing security awareness training programme is essential, covering GDPR obligations as well as cyber security principles in general.
Map your data – Understanding where your data is held, where it came from, who you share it with, and who has access to it is a vital ﬁrst step to compliance. Carry out an information audit and document, document, document!
Review Privacy Statements and Security Policies – The GDPR requires you to tell your customers how you will use their data, who you may share it with, how long you will keep it, in clear and concise terms that can be understood by humans. This needs to be detailed in your Privacy Statement and relevant security policies.
Protect the Rights of Individuals – It’s your responsibility to facilitate the rights of individuals, including the right to erasure, data portability, and the right to access data. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete data or provide data electronically and in a commonly used format.
Make your data accessible – Set up processes to make sure you can handle an increase in Data Subject Access Requests (DSAR) in the 30 day timeframe required by the GDPR.
Review Data Processing Procedures – It’s vital that you have a legal basis for processing data and are able to provide your supervisory authority with proof. Document everything you do. Consider information security frameworks like Cyber Essentials.
Consent needs to be explicit and affirmative – To collect data from your customers they must be aware of it and give you permission to do so. And consent needs to be obtained and verified from parents or guardians for U16s. You should review how you are seeking, obtaining and recording consent and determine if you need to make any changes.
Review breach notification and incident response procedures – Your breach notiﬁcation process must enable you to tell your supervisory authority about a data breach within 72 hours of discovering it. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Built-in Privacy by Design – The GDPR makes privacy impact assessments mandatory where there is a high risk to data privacy. This will help to reduce risks to individuals by ensuring security is no longer an afterthought. Data Security is a fundamental principle of the GDPR. You should familiarise yourself with the ICO’s guidance on PIAs and work out how, and when, to implement them.
Liaise with 3rd party processors and suppliers – ensure your processors, such as email marketing services, hosted CRM services, have the necessary data protection procedures in place, particularly if outside of the EEA. Data transferred internationally has to be based on decisions of adequacy, acceptance that the DP laws in those countries are suitable.
Assign a DPO? – If your business needs to nominate a Data Protection Oﬃcer (DPO), they are responsible for your business’s data protection compliance. Consider outsourcing this function. This will be the point of contact for both the Supervisory Authority (in the UK the ICP) and for data subjects.
International Arrangements – if your organisation is multi-national you should determine which DP supervisory authority you come under.
For more information give Tony a call
T : +44 8456 171819 | F: +44 1462 675640 | U: http://www.octree.co.uk