The General Data Protection Regulation (GDPR) requires that, by 2018, any company that wishes to do business in the EU, will need to collect, store and use personal information more securely. Companies that have not started addressing this yet will, potentially, have a lot of the compliance work to get through in 2017. With the GDPR clock ticking away, it’s likely that there will be an increasingly urgent response from companies when they realise they should be a lot further along the road to compliance than they are.
To help reduce the panic, we’ve reviewed multiple sources and complied the following summary checklist for GDPR. Companies would be advised to be making significant progress with the list by the middle of 2017.
GDPR To-Do List
Executives, IT staff and compliance officers need to be aware of what GDPR requires. Employees at all levels of the organisation need to be extensively educated on the regulation’s importance and the role they have to play.
Inventory of Personal Data
Make an inventory of all personal data you hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How is it secured, both in terms of encryption and accessibility? Do you share it with third parties and on what basis might you do so?
Communicate with staff and service users. Review current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organisation does and how aware customers, staff and service users are.
Ensure privacy rights are protected. Review procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically.
Review how access rights could change. Check and update procedures and plan how requests within new timescales will be handled.
Check the Small Print
Make sure you understand your legal small print. You should look at the various types of data processing you carry out, identify the legal basis for carrying it out and document it.
Make sure customer consent is ironclad. If you use customer consent when recording personal data, you should review how the consent is sought, obtained and recorded.
Take extra care with children’s data. If you process data from minors, you must ensure systems are in place to verify ages and gather consent from parents/guardians.
Plan for reporting breaches. You must ensure procedures are in place to detect, report and investigate a personal data breach. It is wise to assume a breach will happen at some point.
Get to grips with Data Protection Impact Assessment (DPIA) and Data Protection by Design and Default. DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will help you to identify potential privacy issues before they arise, and develop a mitigation strategy.
Data Protection Officers
Appoint data protection officers. Make sure that someone in the organisation or an external data protection consultant takes responsibility for data protection compliance and understands the responsibilities in detail.
Understand Who Oversees GDPR
Make sure you understand who you answer to regarding GDPR. The regulation includes a “one-stop-shop” provision to assist companies operating in EU member states. Multinational companies will be entitled to deal with just one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.
If your companies is affected by the points raised in this article and you feel you would benefit from some assistance, please feel free to contact KRYPSYS on 0845 474 3031.