It’s not long now until General data Protection Regulation (GDPR) comes into effect on the 25th May 2018.
Many businesses are still unsure exactly what they need to do (and in many cases there is still a lot of debate about what specifically needs to be done), but the one thing that is certain is that you should do something – doing nothing is simply not an option.
What is GDPR?
The GDPR is new set of European data protection regulations that replace the 1995 data protection directive. The GDPR is designed to give give greater protection and rights to individuals and “harmonise” European data privacy laws. The GDPR means that organisations that handle personal data will have to make substantial changes.
The main source of information in the UK is the Information Commissioner’s Office https://ico.org.uk – this website should contain all the guidance you need, but it is complex.
Every organisation is a Data Controller (many will also be Data Processors in addition to being Data Controllers), as such you are responsible for keeping all the data you have safe and secure, and for ensuring that you aren’t keeping more data than you need to have and are allowed to have. It may well be impossible for any organisation to be fully compliant, but your organisation still need to try and be as compliant as it can be and the best way to this is to approach GDPR honestly and transparently.
What can you do?
Every organisation uses and stores personal data in a different way, so every business will need to make changes unique to that business, but here is quick checklist of 8 steps to get started:
1. Get an overview
Set aside an afternoon and visit the ICO website’s GDPR section to get an overview https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Next complete this online questionnaire: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-controllers/ – this will give you understanding of your current position and will help identify what you need to you.
3. Audit your data
You need to understand what data you have – this includes customer data and employee data https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
On this page there is an Excel file with examples that you can use to audit you data: https://ico.org.uk/media/for-organisations/documents/2172937/gdpr-documentation-controller-template.xlsx (don’t worry it has examples)
4. Data Protection Impact Assessments (DPIAs)
You don’t necessarily need to carry out Data Protection Impact Assessments, but you won’t do any harm if you do. DPIAs will help you understand and document the personal data you control https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-template-v04-post-comms-review-20180308.pdf
It is probably a good idea to complete impact assessments for internal systems and processes such as Payroll, HR, CRM systems etc.
If you use other companies to process data (for example managing a website for you) you should ask them for DPIAs that detail what data they process for you and to ensure that is safe and secure.
5. Written agreements
You are supposed to get written agreements from Data Processors (other companies that use your data on your behalf e.g. your accountant). These agreements state they will only use the data you control for the purposes you have employed them to, and that they will keep the data safe and secure. This agreement may already be covered by existing contracts, but if not you should seek an additional agreement covering the new regulations. These agreements are known as ‘Controller Processor Agreements’ or ‘Data Processing Addendums’
An important aspect of GDPR is security. GDPR covers all kinds of records both physical (e.g. paper) and electronic. Offices should be secure, filing cabinets kept locked etc. A good place to start in terms of electronic security is Cyber Essentials https://www.cyberessentials.ncsc.gov.uk/, a government backed scheme to help organisation protect themselves from cyber attacks. The scheme will guide you through the basics like making sure you have anti-virus software installed, and it is possible to get an official certification too.
GDPR is about transparency and letting people know what data about them is being used and why. Again transparency is key. For example, if you have a contact form on a website explain that you will only use the data an individual submits to help with that individual’s enquiry, that you will not share that information, or use that information for another purpose (and of course make sure that your organisation doesn’t use personal information in ways it does not have permission to).
8. Audit trail
Keep a records of everything GDPR related you do, an important part of GDPR is the process of understanding and auditing your data, therefore it is important to record the process itself.