Clean up your processes to ensure GDPR compliance
01 December 2017
With the arrival of the General Data Protection Regulation (GDPR) drawing closer, businesses now face a race against the clock to achieve total compliance, according to Paula Tighe, information governance director at law firm Wright Hassall
Preparing for GDPR is a lot more than simply a box-ticking exercise; it requires key decision makers to spend time understanding the new regulations, to then push through the necessary changes early to meet critical obligations in time for its arrival in May.
Despite the UK leaving the EU, businesses must still comply; wherever your data comes from, if it is used, recorded, or processed in the EU, you must adhere to GDPR regardless.
Raise awareness and register it
First, begin by recording the compliance process, as this will help mitigate any risk of incurring penalties for non-compliance. This record, also known as the ‘Data Register’, should include details about the data you currently hold, as well as your reasons for processing it. This will help to ensure you adhere to accountability principles of GDPR.
Rather than preventing you from doing things, GDPR aims to improve standards by encouraging you to make existing processes become more effective and efficient. Review your existing digital and hard copy format privacy notices and policies to make sure they are concise, written in clear language, easy to understand and easily found.
Assess how you communicate these notices and policies with data subjects, ensuring you clearly explain your reason for processing the data, how long it’s retained and how individuals can complain to the Information Commissioner’s Office if they are unhappy.
Rights of the individual
GDPR will give individuals greater control over their personal data, so you must ensure your procedures detail how you will provide data, how you would delete it, and how you will correct mistakes.
Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures will mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current Data Protection Act, the change to GDPR should be no problem.
Never assume consent
Handling consent for the capture and use of personal data for more than just contact, is a tricky area. Individuals must give clear consent for their data to be used and be able to revoke consent at any time - if you want to use their data differently, you must obtain a new consent.
How you attempt to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator.
Keep reviewing and keep recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA).
These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.
Make someone responsible and keep it up
If you routinely monitor or process personal data on a large scale, you should appoint a data protection officer who understands the regulations and will drive your data privacy processes.
You must also consider written records, which are also covered by the regulations - ensure all your staff are trained on the correct handling of personal data.
Record how you handle each step of the process in your Data Register and remember, for SMEs it will be more important to show a willingness to comply by trying to implement all the necessary steps, than to be fully compliant in May.