The General Data Protection Regulation (GDPR) is a great way to provide protection for everyone and is also going to be a legal requirement very soon (May 2018).
There are many organisations which have been established to assist with this process, one such company is The GDPR Guys based in Milton Keynes, UK. It’s important you take steps, either internally or employing an external advisory company to ensure you tackle and issues. The ICO have some fantastic guides like GDPR – 12 Steps To Take Right Now and there checklist.
Here are some simple yet key steps to ensure your company is not only maintaining best practice but also complying with law.
1. To start everyone in the company needs to be aware that GDPR law is changing which will mean we all need to educate ourselves and review our practices.
2. The decision makers and key people of the company need be on board with the GDPR and actively work on upholding compliance.
3. All personal data should be handled appropriately. There should be a record of where all personal data is held, where it came from and who has access to it.
4. All privacy notices should be reviewed and updated to include the additional information the GDPR requires to be kept.
5. You should review the GDPRs definition of individuals rights is and ensure the companies practices are in line with those rights.
6. All of the company’s policies and procedures should be reviewed to ensure all rights of individuals are being upheld in accordance with GDPR.
7. Any policies or procedures that do not uphold individuals’ rights as defined by the GDPR should be revised.
8. The company should educate, and provide training where necessary, for staff on what changes have been made to any policies and procedures.
9. Staff should also be educated on any changes and additions to their rights from GDPR such as the right to data portability.
10. You should review GDPRs expectations on consent as outlined by ICOs publication.
11. The company should also review how consent is obtained, recorded and managed to ensure compliance with GDPR.
12. You should consider whether there is a need to put systems in place to verify individuals age and to obtain guardian consent for data processing.
13. It is important to ensure you have procedures in place to find, report and investigate any personal data breaches.
14. Privacy by design is now a legal requirement. The company should be conducting Privacy Impact Assessments regularly.
15. Make sure to familiarise yourself with what ICO has published on Privacy Impact Assessments to ensure its conducted appropriately.
16. If your company isn’t using PIA get it in place! Read article 29 Working Party from ICO for help with implementation.
17. It’s a good idea for the company to elect or designate a Data Protection Officer (DPO). In some cases, this is mandatory.
18. It is important if you have a DPO to ensure they receive the proper training and education to carry out their role effectively.
19. If you operate in more than one EU member state its important you decide who’s taking lead authority. An easy way to do this is to figure out where the biggest decisions are being made.
20. Always be ready to review and revise! Remember best practice as well as legislation do evolve and change so it’s important that we’re always diligent in making sure we’re up to date on what’s current!