What exactly is GDPR?
Put simply, GDPR (also known as ‘General Data Protection Regulation’) is a piece of EU legislation that comes to effect on the 25th May 2018 for all EU countries.
It’s core aim is to establish a set of rules that define how we protect someone’s data. A lot of the regulations in GDPR are very similar to those found under The Data Protection Act. It only applies to you if you handle a EU’s citizens data.
It has also been suggested that the UK will continue to enforce GDPR after Britain formally leaves the European Union.
Getting started
Before you make any changes, it is important you consider the following:
Inform key decision makers: Those who need to know about the regulation SHOULD know about the regulation. Make sure you involve all key decision makers in the process of implementing a GDPR strategy.
Review your current policies: Take a look at how you currently process and handle data including all the information you hold in regards to personal data.
Review how you will manage consent: Compare how you currently obtain data with the new rules to govern consent of data to be stored.
Create an action plan: Becoming GDPR compliant cannot happen in just one day. Create simple and an easy to follow action plan to clearly highlights each person’s responsibility.
What do I do with my current list of data?
The simple answer is to get in touch with them and check if you can still hold their data. Simply sending over a consent form or a link to confirm they wish for you to hold their data should be enough evidence to show you are obtaining their data under GDPR.
Ways of showing your compliant for the future
Be clear: Have an easy to read statement that shows exactly how you handle a person’s data, including what information you will hold and what it will be used for.
Keep a record: You should document what personal data you hold, where it came from and where you share your data. The ICO mentions you may need to organise an information audit if you’re unsure.
Allow people to see what data you hold: Implement a policy that easily allows a person to request the data you hold about them and make sure you provide the data within the timescales of GDPR regulations.
Double opt in: If your business makes use of email marketing, consider having a double opt in process. This means a person has consented twice to receiving direct communication by you. Not only does this mean that you’ve got consent, it can also show you have a potential client who is genuinely interested in your products or services.
Appoint a data protection office: You should appoint an experienced and or qualified DPO to take responsibility for data protection within your organisation.
Assess your security: Make sure the data you hold on people is kept securely. For example, if you use tangible forms, it would be prudent to keep them all locked in a safe, if you keep data electronically you may want to invest in a security infrastructure that keeps that data secure.
If something goes wrong: If an issue occurs, such as a data breach, you will need to have a plan in pace that effectively deals with the issue, in some cases you will have to directly report a breach to the ICO, and or the person directly.
The final update
Once you have established your new policies going forward and everything is in place, the last step is update your privacy notice to reflect (clearly) everything you have amended and what you will implement going forward. Remember to make your privacy notice clear and transparent to everyone to ensure you stay within GDPR rules.
Changes
In the future, if you find you have to make changes, make sure they still fit in within the rules of GDPR, and you update your clients and privacy notices accordingly.
Make your IT GDPR compliant
IT-Logik offer a GDPR consultancy service which aims to ensure your IT infrastructure is GDPR compliant. To find out more about this service, click here.