Are You Prepared For GDPR?
Changes to the law surrounding data protection hit in just 4 months and businesses could face fines of up to four per cent of their turnover or 20m Euros (whichever is greater) if the new rules are breached. Here, our Operations Director Andy Jenkins discusses the upcoming changes to how we collect, store and use data and a step-by-step guide on how your business should prepare for them.
With GDPR only a few months away, many businesses are allocating staff or even appointing dedicated teams to deal with the changes. To start, each company should immediately focus on and identify what personal data the business holds and if it holds any special categories of personal data i.e. Sensitive Personal Data, Data on Children.
The business should then work on the 5 W’s of GDPR:
Is the data coming from?
Is the data being stored?
Is it being transferred to?
Is the data?
Is the level of sensitivity of the data?
Would be the effect on the data subject in the event of a breach?
Has access to the data – do they need access?
Are the third party data processors? (if there are any)
Are you transferring data to and on what terms?
Do you hold the data? Legitimate purpose or under consent?
Are you only using it for the stated purpose?
Did you gather / transfer the data?
Do you still need it?
do you have an audit trail to show how and when the data has been used?
The business should then analyse all current data held within the business including personal data held on employees and decide if it is a Data Controller and / or Data Processor.
Based on the output of the above and the 5 W’s, the business should then devise a Data Protection Policy, which should define the terms used surrounding data, the reasons the business will use for holding personal data, its data retention policy, aspects surrounding data security and who has access to the data.
Next, the company should establish a data security policy and consider using external consultants to undertake network penetration tests and seal any gaps in its IT network’s security – not forgetting the use of any portable devices, which if they hold personal data should be either password protected or encrypted. Don’t overlook the physical security to the building in which data is being stored.
It is also important to make sure that Data Impact Assessments are at the heart of any changes the business makes in relation to using data.
Undertaking comprehensive GDPR training within the business will ensure that all staff have an understanding of the impact of GDPR and their personal obligations and should communicate its approach to using data with staff and customers to engender confidence.
It’s essential that marketing teams have the correct consents in place to continue to use any data they hold for marketing purposes and have a robust procedure in place to evidence the consents required to use data. Make sure this is auditable.
Ensure any third party, with whom data is shared, have a robust approach to GDPR and if they are outside the EEA have the necessary permissions / safeguards.
Every business should ensure it has a robust policy to cover any Subject Access Requests made by data subjects.
It should also devise a data breach policy and be mindful of the timescales in relation to notifying any breaches to the ICO.
And finally, consider appointing a Data Protection Officer, or at least someone who is responsible for data related issues within the business and document everything. Remember that the ICO will ask for evidence of your approach to data in the event of a breach.