On the 25th May 2018, the General Data Protection Regulation (GDPR) comes into effect. It applies to all organisations who hold Personal Data (PD), such as; full name, name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address and a multitude of others, about residents of the European Union.
As you are also probably aware, the fines for failure under the GDPR are significant.
More importantly, the GDPR provides forward looking firms with an opportunity to demonstrate the extent to which they care about their customers, stakeholders, clients, employees and suppliers and their PID. Because, and make no mistake, this data belongs to them, not to you.
And that means forward thinking firms can use their adherence to the GDPR in numerous ways to differentiate themselves, to build trust and to grow their business.
If this sounds like you, then you should get in touch to discuss how we see the GDPR and what it might mean, positively to you and your organisation.
What are the Steps to Take to Comply with the GDPR?
- Does the GDPR apply to your organisation? – It does if you hold, control and/or process PID belonging to EU residents. If that is the case, then you need to follow the remaining steps
- Map your use of Personal Data – this involves you (and almost certainly a bunch of other people within your organisation in finding and documenting the – who is responsible for the data, where is it held and importantly. who can access it. This step also requires you to define the lawful basis under which you control and/or process PD
- Carry out a Data Privacy Impact Assessment (DPIA) – this is a specific version of a risk assessment to establish the impact of of your data processing operations on the protection of Personal Data. It should follow good practice for Risk Assessments and thus requires careful thought and a well developed and replicable process
- Develop your Processes and Ensure they are Written – Good GDPR practice and something that will hold you in good stead (if…when) something goes wrong, is to have created and ensured everyone follows written processes. Just as with ISO 27001, you need a robust Information Management System to do this
- Communicate and Educate – Everyone and I mean, everyone (including your employees and suppliers…and their employees) needs to understand their obligations under the GDPR and you need to set out your expectations
- Are you Ready and Able to Meet Data Subjects (DS) Requests? – say someone asks you to update the PD you hold for them, because it is currently inaccurate. Can you do it, and can you show them you’ve done it? Across all the databases where you may hold that data? You will need to…
- Something New? – nothing stands still; firms are always developing new ideas, collecting more data and generally trying to improve and innovate. Doing this under the GDPR is a challenge, one that is talked about as ‘Privacy by Design.’ Again, there is a requirement to ensure that you enhance your culture (and can demonstrate adherence) to take this into account. Let’s say you are a software developer, how do you build your new app to ensure users PD is kept private?
If this short list helps you understand just how far reaching the GDPR is and how extensively it may affect your business and you want to discuss it further – just pick up the phone or send a message.