ECS HIDDEN HERE

This website uses cookies. By proceeding you are agreeing to our use of cookies.

With the introduction and implementation of GDPR (General Data Protection Regulation) officially one month away, you’re nearing the eleventh hour if you haven’t yet made any considerations of business impact or changes to your operational and digital presence. 

Aligning your business as GDPR compliant is an important process to protect against liability for the mishandling of private data - a subject which has been as hot as a ghost pepper in the press of late. Those who fail to comply with the new GDPR guidelines could face hefty fines of up to €20 million, or 4% annual global turnover.  It seems apt timing for the instigation of such legislation following Zuckerberg’s testimony to Senators in the US after (at least) 87 million people’s data was harvested and exposed from the social networking site Facebook.

GDPR will not only impact incorporated businesses, but there will also be significant implications for the self-employed and sole-traders. GDPR applies to any business that processes the data of EU citizens - including customer, supplier, partner and employee personal data. With the legislation set to come into force on 25th May 2018, now is the time to lock-down any necessary adjustments and ensure you meet the proper standards and required specifics. To make this easier for you, we’ve detailed ten recommended steps for you to take to ensure you’re doing it right:

Institutional Awareness

Any decision makers and key stakeholders in your organisation should be made explicitly aware that the law is changing to the GDPR. A full comprehension of the relevant implications for your business is key here.

Data you hold

You should document what personal data you hold, where it came from and who you share it with. It may be advisable to carry out an information audit to understand how much of this information you store and why it's necessary for you to keep.

Communicating privacy information 

Review any current privacy policies or notices in place.  If you have your own website then your privacy policy must include how the individual's data will be used, how long it will be used for, any third parties that the data will be shared with and the option for consent. Make a plan to ensure any necessary changes are adhered to in a timely manner. 

Individual’s Rights

Ensure you’ve reviewed your current procedures with the mind that they cover all the rights that individuals are entitled to. Also, consider deletion processes of personal data and how data can be provided in electronic or other commonly used formats.

Subject access requests

Update your procedures and plan how you intend to handle requests within the new stipulated timescales, be sure to provide any necessary additional information.

Consent

You must review how you seek, source, record and manage consent and whether you need to make any changes. This also includes refreshing existing consent received from customers if they don’t meet the GDPR standard - keep an eye out for double opt-in here.

Children

Start thinking now about whether you’ll need to implement systems to verify individuals’ ages and, if necessary, obtain the relevant parental/guardian consent for any data processing activity.

Data Protection by Design and Data Protection Impact Assessments

Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments, alongside the latest guidance from the Article 29 Working Party, and plan how and when to implement them in your organisation.

Data Protection Officers

Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. Consider any requirements for formal designation of a Data Protection Officer.

International

If your organisation is operating in more than one EU member state (i.e. you carry out cross-border processing), you’ll need to determine your lead data protection supervisory authority. Guidelines expressed in the Article 29 Working Party will assist you with this process.

That’s a fair amount covered, but not all of the things you’ll need to do to ensure you’re GDPR compliant and on the right side of international law. Start with these steps, and you’ll be well on your way to leading by example - something you should champion on your site, on your CV and amongst your network. GDPR is a slightly heavy, but necessary and important change in the way we handle data. Lead the way, and you’re sure to stand out at the front of the pack in more than one regard.

Keep an eye out for more articles coming soon in this series. Follow us to keep in the loop. 

"