Organisations across the UK are endeavouring to comply with the EU's General Data Protection Regulation (GDPR) by the 25 May deadline.
All businesses of any typre ot size must ensure they're taking appropriate measures to secure the data they store or process and treat it in line with the new data protection rules.
What exactly does compliance with GDPR involve? Here are all the things you should have started considering.
• Audit all the information you hold: You must devise a list of the personal data you hold and sort it by type, i.e. names, addresses, phone numbers, and so on. You must also provide a source for each separate piece of information documented.
• Establish how you store data, and who it's shared with: This includes internal databases, offline stores and third-party storage providers. You must establish which parties you share your data with so that you are easily able to delete or amend that data.
• Document how data is processed: Organisations will need to outline all processing activities, including keeping the name and contact details of the data processors and the categories of processing carried out.
• Refresh existing consents if necessary: Consent must be given freely – it needs to be a positive opt-in. You must explain clearly and specifically why you're collecting certain data and what that data will be used for, plus which third-party controllers will be able to use that consent. You also need to make clear that users can withdraw their consent at any time.
• Highlight any third-party processors: Third-parties will need to respect your data subjects' rights just as much as you do.
• Respect new and existing customer rights: You should examine your procedures to ensure they cover the new and existing customer’s rights and how you plan to delete or provide personal data on request.
• Fulfilling Subject Access Requests (SARs): People's requests to access the data you hold on them must be fulfilled within a month.
• Right to rectification, restriction, and erasure: The new legislation outlines how users have more control over their personal data. The key to respecting these rights lies in understanding how your organisation plans to handle the flow of requests to amend any data inaccuracies, to comply with a demand that you stop processing someone's data, and to erase any personal data you hold at their request.
• Implement staff training: Training all your staff to be aware of how GDPR affects their daily work not only maximises your organisation's chances of full compliance, but minimises any risk of suffering data loss or theft.
• Appoint a Data Protection Officer (DPO): Your organisation must designate a DPO with the responsibility for data protection compliance. The DPO must have the right knowledge, support and authority to carry out their duties effectively.
• Carry out a Data Protection Impact Assessment (DPIA): DPIAs are mandatory for certain organisations in cases where a new technology is being deployed or a profiling operation is likely to affect customers. DPIAs help to establish how risky certain data processing activities are. Your organisation should consider where DPIAs are necessary, if and how you run the process.
• Reporting data breaches: Any breaches involving personal data must be reported to the ICO within 72 hours - detailing what data has been lost, any consequences, and what countermeasures you've taken. It's vital to cooperate with authorities as fully as possible to both minimise the scope for suffering penalties, and to ensure your reputation does not suffer any undue damage.