Preparing for GDPR

So much has been written on GDPR, but still the same questions are being asked. Preparing for GDPR, if you are already prepared great, but if not then read on:

GDPR is not a ‘fixed point’ in time; May 25th 2018 is the date when GDPR is effective from, however GDPR for organisations is an ongoing journey.

Technology is continually changing and as an organisation you should continue to evolve, and the same should be said for your GDPR and privacy management programme. There will always be privacy and security risks, as an organisation you have a duty to protect the data that you hold, it is up to you to show that you are a responsible organisation by having procedures in place to mitigate these risks.

As an organisation you should be implementing responsible data practices:

Create awareness with your organisation

Ensure that your data protection procedures are known throughout the organisation, all of the key stakeholders should know that GDPR is happening; they need to know the implications that this will have on their part of the business.

Communication of your privacy programme

Do you have a fit for purpose internal communication framework in place, can you be sure that all of the necessary information will filter through to all of your staff, now may be the time to appoint a ‘GDPR Champion’ the person who ensures that all of the necessary communications reach the right people. Identify the key stakeholders within the organisation.

Understand your data

As an organisation can you truly say that you know the data that you hold? You should know your data, where it has come from, how it was collected, the consent that it holds, what it is used for, how long you have held it, how long you can hold it for, is it accurate, when was it last updated, who has access to it, who do you share it with.

If you share your data, now is the time to review 3rd party contracts, are they fit for GDPR?

GDPR is not just about customer data, it covers ALL the data that is held by the organisation, including data belonging to customers, prospects and employees.

Processing Data

Revise why you are processing the data that you have, what is your ‘lawful basis for processing’?

Consent

Is the consent on your data up to date? How did you receive that consent? Have you considered a ‘double opt in’ method for consent? Are your existing consents fit for GDPR? Review how you seek, record and manage your consent.

Rights of the Individual

Do your procedures cover all the rights of the individual, can you access customer data easily, can you delete customer data if requested, can you update data if requested to do so?

Subject Access Requests

Review your procedures for dealing with a SAR, do you know how as an organisation you will deal with these, are you aware of the new timescales, are your staff up to date on training?

Privacy Notice

Do you have a privacy notice and is it easily accessible? Is your current privacy notice fit for GDPR, is it written in plain English that is easy to understand - if not review and update.

New Projects and Privacy by Design

Put privacy at the top of your agenda; ensure that privacy is embedded within the culture of your company. New projects start with privacy, implement a procedure where by a DPIA (Data Protection Impact Assessment) is the automatic first step when it comes to a project that may impact on personal data.

Data Breach

Your organisation has had a data breach – do you know what to do, familiarise yourself with GDPR and a data breach, new timescales of reporting, who and what to report. Put a plan in place to detect, report and investigate if the worst happens and practice the procedure. As an organisation you must know who has the responsibility of dealing with a breach, having a plan that will make dealing with the consequences easier and more succinct. After all we wouldn’t dream of not having fire drills would we?

Data Transfers

Do you do international data transfers, then you need to know who your lead authority is. Wherever you transfer data to you need to ensure that the data path is secure, check it.

DPO

Check if you need a Data Protection Officer, if you do, then you need to find one. You may want to outsource your DPO, you may not need one but you choose to have one.

Children

If your organisation collects data belonging to children then you need to have procedures in place to be able to verify age and gather consent from parents or guardians.

As an organisation you need to be able to show:

Commitment to GDPR, preparation and compliance should be happening across the whole of the organisation, from board level, cascading down to every level of the organisation.

Transparency and accountability are embedded in your company culture: does the culture of the organisation need to change? There needs to be a culture of transparency and accountability, building a comprehensive privacy programme reduces risk to data, protects against data breaches builds trust in the brand which ultimately can build competitive advantage in the market place, by using trust as a brand differentiator.

GDPR is about making organisations accountable for the data that they hold, transparency is about ensuring that individuals know what their data is being used for and allowing them the choice to object. If as an organisation you can show good practice then this will ultimately go in your favour.

Appropriate data security measures are in place within your organisation; this means that you need to review your IT systems and procedures, detect any gaps in your procedures which could leave you vulnerable, think about data storage, data access, data transfers, carry out a data mapping exercise and document the data flow within the organisation.

Staff training is up to date and that regular and refresher data and privacy training is carried out. By implementing a staff training programme so you will start to embed a privacy culture within the organisation. Ensure that your staff are not weakest link.

In conclusion GDPR is good, whilst in the first instance it may seem an overwhelming and costly exercise, it doesn’t have to be, take it step by step, start with a GAP analysis, from this you will see where the gaps are and you then prioritise them. Implementing GDPR is an ongoing process, make privacy matter within your organisation, in the months ahead you will reap the benefits.