The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018, together with the Data Protection Act (2018), which implements the GDPR in UK law. It applies to all organisations who hold Personal Data (PD), such as; full name, name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address and a multitude of others, about residents of the European Union.
The GDPR delivers a ‘sea-change’ in the way organisations need to deal with people’s personal data. Failure to adhere to it will lead to significant issues including; financial penalties, reputational damage and knock on operational impacts.
More importantly, the GDPR provides forward looking firms with an opportunity to demonstrate the extent to which they care about their customers, stakeholders, clients, employees and suppliers and their Personal Data. Because, and make no mistake, this data belongs to them, not to you.
And that means forward thinking firms can use their adherence to the GDPR in numerous ways to differentiate themselves, to build trust and to grow their business.
If this sounds like you, then you should get in touch to discuss how we see the GDPR and what it might mean, positively, to you and your organisation.
What are the Steps to Take to Comply with the GDPR?
- Does the GDPR apply to your organisation? – It does if you hold, control and/or process Personal Data belonging to EU residents. If that is the case, then you need to follow the remaining steps
- Develop a Record of Processing Activities – this involves you (and almost certainly a bunch of other people within your organisation in finding and documenting what specific Personal Data you hold, who is responsible for the data, where is it held and importantly, who can access it. This step also requires you to define the lawful basis under which you control and/or process Personal Data. Where you decide to use ‘legitimate interests’ as the lawful basis, then you also need to carry out a ‘balancing test’ or Legitimate Interests Assessment and record the outcome.
- Carry out a Data Privacy Impact Assessment (DPIA) – this is a specific version of a risk assessment to establish the impact of of your data processing operations on the protection of Personal Data. Whilst it is required if certain conditions are met e.g. where data processing is likely to result in high risk to the data subject, we recommend that every organisation does it. It should follow good practice for Risk Assessments and thus requires careful thought and a well developed and replicable process
- Develop your Processes, ensure they are written and followed – This is good GDPR practice and something that will hold you in good stead (if…when) something goes wrong. Just as with ISO 27001, you need a robust Information Management System to do this
- Communicate and Educate – Everyone and I mean, everyone (including your employees and suppliers…and their employees) needs to understand their obligations under the GDPR and you need to set out your expectations
- Are you Ready and Able to Meet Data Subjects (DS) Requests? – say someone asks you to update the Personal Data you hold for them, because it is currently inaccurate. Can you do it, and can you show them you’ve done it? Across all the databases where you may hold that data? You will need to…
- Something New? – nothing stands still; firms are always developing new ideas, collecting more data and generally trying to improve and innovate. Doing this under the GDPR is a challenge, one that is talked about as ‘Data Protection by Design’ and ‘Data Protection by Default.’ Again, there is a requirement to ensure that you enhance your culture (and can demonstrate adherence) to take this into account. Let’s say you are a software developer, how do you build your new app to ensure users Personal Data will be kept private?
If this short list helps you understand just how far reaching the GDPR is and how extensively it may affect your business and you want to discuss it further – just pick up the phone or send a message.