For most businesses and IT managers, preparation has not yet started despite the deadline being less than 6 months away.
Ignorance of the Legislation will be no excuse and with the severe penalties planned, some businesses could be made bankrupt if they fail to comply. How would you deal with a fine of 4% of turnover?
Please use this checklist to start you on the road to compliance. These are the key areas you should address. As you get into the detail of your own GDPR review, you will also uncover data considerations, which are particular to your own industry and business type.
1 Raise Awareness In Your Business
GDPR will probably require you to make changes to the way you collect, store, use and process data. In particular data held on individuals.
The new regulations extend the provisions in the Data Protection Act 1998 but GDPR has more teeth to enforce the new and existing provisions.
All staff in an organisation must to be made aware of the regulations as they will need to ensure they are following them on a daily basis.
Anyone who is making decisions and systems designers will need to ensure that all new systems and procedures are compliant.
For firms of over 250 employees, you will need to appoint a Data Protection Officer. For smaller companies, you will need to name a person responsible for the implementation, monitoring and administration of the GDPR regulations.
2 Perform a Data Audit
The main focus of GDPR is on the digital rights of individuals. They are called Data Subjects.
You need to review all the data you collect and document what data is being held and for what purpose.
E.g. As an accountant I hold data on clients which include Date of Birth, National Insurance Number and Unique Tax Reference (UTR).
The reason we hold this data is to be able to complete Tax Returns.
We gather this information on HMRC form 64-8 which is authorised by the client.
You will need to determine what data is sensitive and what is in the public domain.
3 Communicate Clearly To Individuals (Data Subjects)
Ambiguous Terms and Conditions when submitting documents are ending.
GDPR specifies that Data Subjects must be made aware, in clear and concise language:
Why their data is being collected?
For what purpose is the data held?
How the data will be stored?
How long the data will be held?
Data subjects, individuals, must specifically OPT IN and accept the Terms and Conditions and you must have proof of this.
Review all of your data collection procedures, both paper and digital, because GDPR covers anything that becomes part of your filing system.
4 Consider The Purpose Of Data Collection
Under GDPR Organisations and Businesses will be legally required to justify each item of personal data they hold on an individual Data Subject. Only data which is justified may be held.
Personal Data cannot be held indefinitely and should only be held for the period of time it is needed for the reason it was collected.
5 Understand Data Subject Rights
A Data Subject currently has the right to request personal data which is held by an organisation. This has to be supplied in 30 days and the administration fees have been abolished.
GDPR gives the individual more power in requesting data and the right to correct any information held.
This is about your processes and ensures you can provide the data quickly to the individual and also make it easy to correct the data.
6 Provide Data Portability
This means that you should be able to transfer the data in an acceptable format to a new data controller.
This will become clearer as GDPR is implemented.
7 Data Protection Impact Assessments
The definition of what constitutes a high level of risk will be determined by the Information Commissioners Office in the UK, they will also inform us of what is to be fully clarified.
It would be prudent to look at each of your systems and do a risk assessment of the data held and the purpose for holding the data.
There could be penalties if the risks have not been identified and documented as to the data subject’s rights.
Some systems will need to be amended to ensure only the essential data is held and that it is only held for the correct period of time.
8 Data Processing Systems, Designing In Security
Designing good security has been part of the data processing industry for many years but organisations must ensure that the security procedures are followed.
Where a new system is being designed the system should now be designed with GDPR in mind.
Current software, organisations should gain assurance from the software provider that it is compliant with the new regulations.
All Data Processing Policies should be refined and active.
Where there is no policy then a policy should be created to deal with GDPR requirements.
Incidents need to be reported to the supervisory body within 72 hours under GDPR. This will mean a constant monitoring of systems by the data controller.
You should run all scenarios you envisage happening and ensure that your data controller has the systems and procedures in place to deal with them and that there is a reporting system so that all risks and problems can be dealt with in a timely manner.
Due to the financial penalties under GDPR it would be advisable to brief your board and decision makers about the implications of GDPR to the operation of the business. You Financial Director should also provide the amounts that the organisation could be liable to pay.
10 Have A Point Of Contact
Under GDPR being responsive to Individuals i.e. Data Subjects, is going to be imperative.
The organisation will need to be open and fair about the data it holds and must be able to provide it and amend it efficiently and effectively.
Nominate a Data Controller and a point of contact within your organisation. Their contact details should be published on all points of data collection.
You should also inform the supervisory authority of your Data Controller so that all issued can be channelled and dealt with.
We think that the regulator will be looking for some examples to put into case law.
Preparation should help you to avoid being one of these cases.
GDPR should not be thought of as a box ticking exercise as the organisation’s data requirements will change as the business evolves.
Controls should be implemented based on your risk analysis and where necessary the systems will need to be updated.
GDPR will be a long and arduous process and will have many unforeseen problems. The more you prepare in the next four months the better you will be in a position to deal with the ICO when the regulations will be enforced in May 2018.