Planning for GDPR compliance
With the General Data Protection Regulation (GDPR) only months away, businesses face a race against the clock to achieve compliance in time for its arrival. According to Paula Tighe, Information Governance Director at Wright Hassall, there is a lot of work to be done for companies to fully comprehend the new regulations and what they entail.
Achieving compliance requires months of careful planning – it is not something that should be left to the last minute and rushed shortly before its arrival.
Despite the UK leaving the EU, wherever your data comes from, if it is used, recorded, or processed in the EU, you must still comply with GDPR.
Raise awareness and register it
One of the most important changes your business should make is to start recording the entire compliance process, making a note of any significant changes to company policy.
Also known as the ‘data register’ this record will help protect your organisation during the initial months of GDPR, as it shows what data you currently hold, as well as the reasons for processing it.
Rather than stopping you from doing things, compliance aims to improve standards by encouraging you to adapt existing procedures, making them more efficient where possible.
Review your existing digital and hard copy format privacy notices and policies - are they concise, written in clear language, easy to understand and easily found?
Finally, assess how you communicate these notices and policies with data subjects, ensuring you explain your reason for processing the data, how long it’s retained and how individuals can complain to the Information Commissioner’s Office.
Rights of the individual
GDPR aims to give individuals greater control over their personal data, which includes the right to have their information edited or even deleted completely, so it is important companies introduce procedures that can process such requests efficiently.
Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures will mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should be no problem.
You must comply within a month when an individual makes a subject access request, to see what information you have about them. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.
Never assume consent
Handling consent for the capture and use of personal data for more than just contact, is a tricky area. Individuals must give clear consent for their data to be used and be able to revoke consent at any time - if you want to use their data differently, you must obtain a new consent.
How you attempt to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator.
Keep reviewing and keep recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA).
These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.
Make someone responsible and keep it up
If your company deals with large quantities of data, then it may be worth appointing a dedicated Data Protection Officer to oversee procedures, ensuring you are compliant with GDPR laws.
You must also consider written records, which are also covered by the regulations - ensure all your staff are trained on the correct handling of personal data.
Remember, recording the compliance process using your data register can help mitigate the risk of incurring penalties for non-compliance, especially during the first few months.
Those organisations that can prove they have tried to meet the requirements will fare better than those who don’t.
Picture courtesy of Pixabay