GDPR – Where do you begin?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
Before getting carried away there is a need for education and awareness. Discuss the GDPR and its requirements and put together a plan of action.
On the face of it the GDPR compliance looks like a frightening task, however starting with the basics and breaking it down into chunks makes it much more manageable.
GDPR First Steps
GDPR is all about information and protecting it, so the first few steps are essential:
- What information do you as a business have that will be subject to the regulation?
- Where is this data stored?
- Who has access to it?
- What is your purpose for processing it and what level of consent do you already have?
- How could your data accidentally or maliciously leave the organisation?
Review your privacy information
Businesses will need to review their privacy information. Once the GDPR is implemented, it requires businesses to give certain information when collecting data such as your identity and how you intend to use their information.
You should check your procedures to ensure that they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
Subject access rights
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent in order to process their personal data lawfully.
Now you know about your data…what is next?
Businesses need to put the right technology in place to protect this personal data, if this does not happen then you may have to pay – directly to the supervisory authority and indirectly from reputation damage, and loss of goodwill and customer trust.
However, companies that encrypt and put the right technology to protect their data, protect their customers and themselves.
We offer GDPR training courses that provide businesses with all the information required to ensure that they are compliant with the new rules. We offer a 1 day course that provides an introduction for those wishing to understand the laws and what steps are required to be compliant. Our 4 day course provides a detailed introduction to GDPR and a full overview on how to plan and implement a continuous compliance programme.
GDPR IT and Infrastructure Audit
GDPR is all about the information you hold about EU citizens and protecting it, therefore to start this process there are some essentials steps required. Firstly you will need to understand where your data is stored and how is it protected. Our engineers can help assist with this fact finding process by completing a GDPR IT and Infrastructure Audit that will assess where you data is held, how it is currently protect and also provide advice on how to further protect this data.
The Next Step…
If you are concerned about GDPR and how it will effect your business, we can help manage the project for you to ensure that your business is compliant. Please contact our team on 01392 824 022 for more information and advice.
Still not convinced?
We can help you!
Fill out the form below and one of our IT specialists will contact you.