New documentation is being published all the time around GDPR, and you will probably hear many companies hailing themselves as experts, promising to dive in and save you from the perils of this new legislation. We’ve even seen one company state that they have been GDPR experts for ten years, which is quite a feat, considering it was a mere twinkle in the EU’s eye back then. There will be some scaremongering, and a lot of talk around what your business needs to comply, but the fact is that while, yes, you do need to take action, the process doesn’t have to be that complicated or stressful.
For instance, many of the concepts and principles around GDPR are much the same as the current Data Protection Act, so if you’re complying with it, you’re already well on your way.
What you will need to do is look at the differences in this legislation and make sure you’ve got them covered in good time. Planning is everything with this one because changes could have significant budgetary, IT, personnel, governance, marketing and communication implications, but with that strong plan in place, all of this is doable.
However, it does make sense to use expert help where you can to make inroads and get a march on the deadlines, rather than leave everything to a Chief Information Officer or Data Protection Officer.
We recently undertook a GCHQ course on GDPR (so you don’t have to), so we have the certification to back up our expertise, but we don’t approach finding a solution for your by bringing baffling amounts of information to the table, especially when the legislation aims to do the exact opposite. We pride ourselves on bringing IT solutions to businesses and agencies in a friendly and understandable way, and with GDPR it is no different.
This list highlights 12 steps you can take right now to start out on the road towards compliance, and how pebble.it can help.
- Be Aware
Make sure decision makers in your business are aware the laws are changing, help them understand the impact of GDPR, and agree budget and resource to help meet the new legislative requirements.
- Get Informed
Look at the data you hold and immediately (and safely) destroy what you don’t need or want to reduce the amount you need to review. Look at where it came from, how you use it, how it’s protected and any information audit trail that’s currently followed.
Review your current privacy notices and put a plan in place to make any necessary changes in time for GDPR implementation. Share ownership and make everyone who needs to know aware, particularly if new ventures are planned that would go against impending GPDR regulations.
- Brush up on Individual Rights
Get familiar with the rights of customers and how you should treat existing information. This includes understanding how you’d provide data electronically and in a commonly used format, and if you’re willing to purge to make life easier, how you’ll dispose of information safely.
- Assess Access Requests
Review existing procedures and plan for how you would handle requests for access to data under the new rules. Who would own it? What do the timescales look like? Can a procedure be written up and agreed to in advance?
- Understand Data Processing
- Review Consent
Review how you seek, record and manage consent, and work out whether you need to make changes to that process. You might need to review existing consent for GDPR too, so you’ll need a roadmap to get you there and make sure you’re meeting the guidelines with all newly-acquired data.
- Think of the Children
If your business manages data relating to minors, you’ll want to be on top of age verification and parent or guardian consent to ensure business as usual, and that new business can flow post GDPR deadlines.
- Minimise the Risk of Data Breaches
Having the right procedures in place to detect, report and investigate data breaches is vital, as is bolstering your defences against the risk. If you have no protection in place, consider what tools and software you need to make it happen.
- Know the Codes of Practice
Data Protection by Design and Data Protection Impact Assessments are going to be important. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments, as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Employ a Data Protection Officer
If you don’t have one already, you should think about designating someone to take responsibility for data protection compliance and think about where the role sits within your structure and governance. Not every business will be required to have a designated Data Protection Officer, so work out whether it’s useful, required or both.
- Think internationally
If your business operates in more than one EU member state (i.e. you carry out cross-border processing), you need to determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
All of this will take time to assess and implement, but with the help of an IT consulting service with GDPR expertise, you can start the process of making your organisation compliant with legislation, and won’t have to fear the deadline of 28 May 2018.
Discover the steps you need to take to meet GDPR compliance standards and how certified GDPR experts pebble.it can help you get there by downloading our free GDPR-readiness checklist or by getting in touch with us: