The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It applies to any business that has control over personal data, and those that process personal data on behalf of another business. If you’re not already compliant, this is how to become so.
1. Know the basics
Under existing law, it is the organisation that has control over data that is responsible for ensuring compliance with data protection law. Under GDPR laws, the same provisions will also be directly applicable to processors.
GDPR continues to protect ‘personal data’, which identifies a living individual (as is covered under the Data Protection Act 1998), but the definition of ‘personal data’ has been clarified to make it clear that personal data also includes, for example, an IP address.
The main intention of GDPR is to provide individuals with greater control over their personal data, which is why it is crucial for companies to introduce new effective procedures and processes to safeguard themselves.
2. Why time is of the essence
If your company handles personal data, it is important that you begin pushing through the necessary changes sooner rather than later, or your business may face the risk of incurring penalties for non-compliance.
Don’t make the mistake of thinking GDPR compliance is a simple box-ticking exercise. It is crucial that your business allows enough time for key decision makers and employees to fully understand the regulations and what they entail. Read the regulations in detail and begin formulating a plan to meet the requirements.
3. Record the compliance process
One of the best ways to protect your business, especially during the initial stages of GDPR, is to record the entire compliance process, making a note of any significant changes your business makes to policies and procedures. Also known as the ‘data register’, this record will show what data your company currently holds, as well as the reasons for processing it and how it was obtained in the first place.
This record will serve as proof that your company is making an active effort to meet the requirements, which can help protect your organisation from any non-compliance claims during the early months. The data register will also help your business adhere to the new accountability principles of GDPR.
4. Review your privacy notices and policies
Rather than preventing your business from doing certain things, GDPR compliance aims to improve standards by encouraging you to take a closer look at existing policies and procedures, and make them more efficient. Start by reviewing your existing privacy notices and policies; are they concise, written in clear language, easy to understand and easily found?
If you are happy with the content of these privacy notices, the next step is to ensure these are clearly communicated to your data subjects. Your reasons for using their personal data should be clearly explained, as should the complaints process if they feel dissatisfied with your service.
5. Introduce effective procedures
Post-GDPR, individuals will enjoy greater control over their personal data, which includes the right to request their information is edited or even deleted and wiped from the system completely.
GDPR requires you to have effective procedures in place, therefore it is crucial that your business introduces or adapts processes so that you can deal with any such request quickly and efficiently.
Once the new regulations are introduced, you will need to be prepared to process any requests that your data subjects may have, so it is important to implement these now, so you can allow for teething problems during the initial months of GDPR.
Having transparent procedures will also help mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should not be a big cause for concern.
6. Prepare for personal requests
If an individual makes a subject access request (to see what information you hold on them) you must be able to comply within a month - and you cannot charge. You can refuse to comply if you think the request has no merit, but you must tell the individual why and that they have the right to complain to the regulator.
Key areas to remember is have a procedure to identify requests, assess if they are not excessive which makes them impossible to respond to and have a transparent approach to acknowledging and disclosing the data in accordance with the GDPR. Again, in all reality, for SMEs it will be more important to show a willingness to comply by endeavouring to put in place all the necessary steps and recording the process in the data register, than it will be to be fully compliant on day one.
7. Never assume consent
Although this may sound relatively straightforward, obtaining consent for personal data to be captured and used for more than just contact is one of the more trickier areas of the new regulations. Although an individual must give clear consent for their data to be used, they must be allowed to revoke their consent just as easily, at any time. If you change the way you want to use their data, sharing it with a new business partner for instance, you must obtain new consent. Again, whilst consent can never be inferred and must be implicit, your attempt to obtain and confirm consent, even if you do not receive a reply, will help mitigate any future problems at the hands of the regulator.
8. Keep reviewing and keep recording
Under the GDPR and when you are obtaining and processing personal and sensitive categories of data, you need to record how this data will be retained and under what condition - for example, is the retention period required for legal, regulation and/or organisational purposes?
The new regulations bring a requirement for all business effected by the GDPR to not only have a retention (data minimisation) policy and schedule, but to carry out mandatory Privacy Impact Assessments (PIA) if they want to process personal as part of normal business practices, or if it is to be processed on a new technological or information society system, or if it contains sensitive categories of data.
These assessments will help you decide what are the likely effects on the individual, mitigate any risk and help you build in ‘privacy by design’ in how you obtain and process individuals’ data. Ensure you have a robust process for making the assessments and then record it, along with the outcome - a PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do.
9. Need a data protection officer?
If your company regularly processes personal data or handles large quantities of sensitive information, then it may be worth appointing a dedicated data protection officer to oversee ongoing procedures, ensuring you are GDPR compliant at all times. It does not necessarily have to be someone within your organisation - smaller businesses might choose to appoint an appropriate individual on a part-time or consultancy basis.
10. Train your wider team
Do not make the mistake of thinking GDPR only effects senior members of staff. The implications of GDPR have an impact on every level of your company’s pyramid, and therefore it is important that you spend time teaching your employees what changes are to be expected once it arrives. For example, it’s not just electronically-held data that can pose a problem - your team must consider written records, which are also covered by the regulations. Failing to brief your team on GDPR could spell trouble for your business, as employees are unaware of the new regulations and neglect careful instructions to handle personal information with care.