The General Data Protection Regulations come into force in May 2018. Although your IT team will be vital in implementing any changes needed to ensure that data is held securely with a clear audit trail and that only relevant people have access, it is the data controllers (the people who actually use and manage the data) who need to be prepared.
Here’s a checklist to help you ensure that your data is compliant.
1. Raise awareness
GDPR has received a lot of coverage – particularly in the marketing press – but do not assume that everybody is aware of GDPR. Make sure you raise the issue internally with your peers and at Partner-level to ensure everyone is aware of both the risks… and the opportunities.
2. Map your data
Create a spreadsheet and list the data your firm holds. Identify where it came from, the reasons why you store it and create a yes/no checklist as to whether you really need to store it. Then ask the data controllers to fill in the blanks and justify why they need specific data.
Not an easy exercise but it will not only help with GDPR compliance but should help your firm think through its wider processes.
3. Clear out dead data
Once you know what data you hold, it should be easier to clear out the dead wood; personal data that is no longer required for regulatory or historical reasons.
The less personal data you hold, the easier compliance will be. Make sure you record what data was removed and why.
4. Map out who is responsible for what data
Create an organization chart showing which role, or third party, is responsible for each element of GDPR.
It is likely you should appoint or nominate a Data Processing Officer (DPO) if you don’t already have one who should identify your data controllers and ensure that all employees know what they should be monitoring or doing to prevent a data breach. It is likely you will need to set up some training.
The key here is to show the ICO that you have a process in place and are actively managing your data.
5. Update security data policies and procedures
One key aspects of GDPR is that policies and procedures must be accessible and in plain English so that your teams can understand what they need to do.
6. GDPR offers opportunities as well as threats
When GDPR is discussed, people tend to focus on the big fines (up to 4% of turnover for a breach). But it also offers opportunities. By understanding where data is held and what it is for, there is the opportunity to refine that data and use it more effectively.
A classic example is marketing data; how up to date are those lists? Are you able to segment the data to target prospects and clients more effectively. GDPR enables you to ask those questions and require an answer.
7. Prepare for a data breach
Always prepare for the worse. Ensure you have well defined policies to identify a data breach, remedy that breach and notify everyone affected within 72 hours.
And it is worth ensuring company insurance policies have been updated to reflect the new penalties.
8. Know the data rights and how you will answer them
The idea behind GDPR is a good one – that every individual has rights over their data. There are eight fundamental rights and your firm is responsible for storing data in a way that these can be met. They are:
- Right to be informed – the right to know how personal data is used
- Right to access – gives an individual access to their data and any associated data
- Right to rectification – the right to have personal data rectified if it is incorrect or incomplete.
- Right to be forgotten - personal data should be removed where there Is no compelling reason to store it.
- Right to restrict processing – if data is stored and individual can demand that it is not processed (perhaps because they are waiting for it to be rectified)
- Right to data portability – an individual can request copies of information stored to be used elsewhere (e.g. applying for financial products across different vendors).
- Right to object – if an individual objects to data being processed (e.g. for marketing) you must comply.
- Rights to automated decision making and profiling – an individual can object if decisions are being made about them by a machine without human intervention (e.g. tracking shopping habits online).
We recommend that you be prepared to be challenged and know what to do when you are.
This is very important. If your firm processes data relating to children under the age of 16, you may require parental consent. For children aged 13 or under, parental consent is always required.
10. Talk to SOS about updating your systems and processes
Only you and your colleagues will understand how you use your data; where SOS can help is in making the technical changes you need to ensure your firm is GDPR compliant.
Get in contact when you have identified the changes you need to make. Contact us on 01225 787700 or email Elaine Galvin on firstname.lastname@example.org.