After all the build-up, GDPR finally swept in on 25 th May 2018 when the EU legislation was implemented in the UK. For most people, the milestone passed by with a flurry of emails from companies begging to stay connected with everything from free prize giveaways to emotional blackmail being used as tactics to gain consent from their customers to stay on their mailing lists.
Yes, the data for most of us simply marked a significant decrease in the number of emails in our inboxes each morning. However, for anyone involved in the collection, storage or processing of the personal data of any EU citizen the heralding of the GDPR marked the deadline of ensuring compliance with one of the biggest changes in Data Security laws this country has ever seen.
So, how do you know if your company is ready and compliant?
GDPR Compliance ChecklistWe’ve put together a checklist to assess whether your organisation has done enough, in time, to establish data compliance standards for GDPR.
1. Preparing Your StaffYou should already have identified key personnel who must take responsibility for understanding the impact of GDPR on your business and ensuring compliance. Some companies have chosen to outsource elements of this role whilst others will have hired, or changed the job function of, an individual.
If your organisation:
deals with large-scale data collection, processing or storage (including the systematic monitoring of individuals). Is a public body. Processes and/or collects special categories of data including health records, criminal convictions etc.then you will need to ensure you have appointed a Data Protection Officer (DPO) to comply with the mandatory element of GDPR staffing. Though not compulsory in many businesses, it is seen as good practice for many organisations to appoint a DPO.
2. Assess the Data HeldYou should by now have identified all the personal data that your organisation stores and made an inventory of:
The purpose of this data. The source of this data. How this data is distributed. 3. Update Privacy PolicyYour company’s privacy policy must be updated to be relevant to GDPR. The legislation requires that this is a stand-alone document that is both clear and concise. It should include information about how you intend to use the information that you collect, how long it will be stored for and accurate information about how it is shared. It should also have simple and explicit details about how an individual can withdraw their consent.
4. Put Yourself in Your Customer’s ShoesOne of the keys to assessing your GDPR readiness is understanding the rights of the individual under GDPR. The protection of GDPR extends enhanced rights for an individual as follows:
The right of access to their data. The right to be informed about the use of their data. The right to be able to rectify data held about them. The right for their data to be erased. The right to restrict how their data is shared (and with whom). The right to data portability. The right to object to the use of their data. The right for their data not to be used for automated decision making such as those used in profiling. 5. Review Your Response TimeSome of the rights above must be able to be dealt with under a 30-day timeframe. Assessing your organisation’s ability to handle requests for access, erasure, portability or rectification is essential to ensure compliance.
If you handle large volumes of data then consider the impact on staff resources to meet this requirement.
6. Safeguard AccountabilityIt is a major requirement of GDPR that you document the process by which data is collected, stored, used and shared. An individual’s rights may also be modified depending on the legal basis for how you process their data. Ensure that you have a robust process for documenting compliance.
7. Nothing Less than a Yes, Without Duress, Will DoGDPR is all about consent and the process by which you collect personal information is one of the major factors for compliance.
You should ensure that the process for data collection fully complies with the requirements of GDPR including how you record this consent, manage withdrawn consent and provision for minors (under the age of 16) who must have parental approval to issue consent.
Consent must be an active opt-in process with clarity on how and what you are using the data for along with how to withdraw consent for data to be used, stored or shared.
8. Report BreachesData Controllers must be registered with the Information Commissioner’s Office (ICO) and organisation’s must have an effective and actionable policy in place for dealing with data breaches. As well as reporting these incidences, procedures should be in place to detect potential threats, manage outbreaks and investigate any events that occur.
9. Incorporate Data Privacy by DesignConduct Privacy Impact Assessments (PIA) to assess how data is managed within your company’s processes. PIAs are mandatory in certain circumstances and the GDPR explicitly requires ‘data protection by design’. This means that data privacy should be a key focus in your organisation’s activities.
10. Understand the International ImpactIf your organisation is operational across EU borders then it is essential that you comply with the supervising local data protection authority.
Getting AssistanceEnsuring compliance with GDPR is proving to be a mammoth task for some organisations and although the implementation date has now passed, it would be nave to think that everyone is ready and prepared. Seeking help to get your systems and processes in place is essential if you think that you have not covered any one of the above steps.