How to Prepare for the GDPR

Share this story

Your first priority for preparation in terms of GDPR should be to educate yourself and ensure others in your organisation who has responsibility for data. It doesn’t matter about the size or legal entity of a business – we must all follow the same rules when it comes to handling data.

Don’t hesitate, assess, take action now and be ready.

Here are 10 considerations to help you prepare for the GDPR:

The GDPR is a law about Data Protection, based on a set of common-sense principles:

  • A “right to be forgotten”: When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press
  • Easier access to your data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portabilitywill make it easier for individuals to transmit personal data between service providers
  • The right to know when your data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures
  • Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ is now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps
  • Stronger enforcement of the rules: Data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover or £17,000,000 – whichever is more

Understand the definition of ‘personal data’.

Personal Data means any information relating to an identified or identifiable natural person (a “data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. ~Article 4(1) of the EU GDPR 2016/679.

Read the New Data Protection Bill.

You can find the ‘The New Data Protection Bill: Our Planned Reforms’, on the government website. Insert the link that you already have, into the above title.

The New Data Protection Bill covers the following 4 topics:

  • The Digital Economy
  • Our Data Protection Reforms
  • Implementing the Reforms
  • Looking ahead

Seek legal advice if you are unsure.

This article offers insights and guidance about the GDPR. It is highly recommended that you seek your own legal advice in preparation for the big change.

If you have a Website

Data on a website can be anything from a simple enquiry form, an ecommerce/online sales website to online user accounts that have details saved. Make sure that your website is encrypted with an SSL certificate and that any data gathered is stored in a safe and secure environment once it reaches you.

Identify where your company is storing data, for example:

  • Your website
  • Telesales – do you store names and numbers for your agents to call?
  • Direct mail – do you have completed order forms stored away with contact details?
  • Customer service departments – calls taken from potential customers and those recorded details
  • Personal contact with people – the exchange of business cards from a tradeshow or exhibition

Prepare your staff and make them well aware of the changes that are coming. Make sure that they understand the principles of good data protection and that they don’t write down details of people on a piece of paper that could go astray, end up in the bin or taken home on computers or memory sticks where information could get stolen.

Evaluate your environment and how you document personal data – where did it come from, who have you shared it with? How will you audit the data? Review current policy notices and put a plan in place – procedures and timescales.

Be compliant, review your practices and make sure that, to the best of your ability, you look after the data as if it were your own. Make sure your organisation’s privacy policy of how you handle data is compliant with the new rules and is up to date.

Decide how you will be able to prove that your data is secured safely and how to seek consent moving forwards.

The General Data Protection Regulation will apply to all companies based in the EU and those with EU citizens as customers. It has an extraterritorial effect, so non-EU countries will also be affected. Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR.

Do you need to employ a Data Officer?

A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. A DPO would be recommended for any organisation that processes or stores large amounts of personal data, whether for employees, individuals outside the organisation, or both. Seek advice as to whether your company should employ a DPO or make sure someone in the business has responsibility for Data Protection.

What have you done so far to prepare for the GDPR?

If you need help, support or just have a GDPR question you can call us 0203 319 3930 or drop me an email.

Last week….

GDPR and your Business

Next week…

Cyber security and data protection.

Comments are closed.