The General Data Protection Regulation (GDPR) comes into effect on the 25thMay 2018. It applies to anyone who processes personal data of people from the European Union. What steps can you take to be compliant?
Key points to consider:
According to a recent survey, 48% of respondents did not think that they would be in compliance with GDPR by the effective date, and 8% did not know when they would be compliant.
The head of the Information Commissioners Office (ICO), Elizabeth Denham has stated in her blog GDPR is not Y2K that “there will be no ‘grace’ period”. Since companies have had two years to prepare, the ICO will be regulating from the effective date. She also highlights that GDPR is not a one-time effort and will require ongoing maintenance.
Those who self-report, who engage with the ICO to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account.
So, if you are part of that 48%, the worst thing you can do, even at this late stage, is nothing. You need to be able to show that you have been thinking about the following elements:
- Raise awareness with decision makers and stakeholders
The decision makers and stakeholders need to be aware that the law is changing, the impact this is likely to have and be able to identify areas that need to be verified. The leadership team needs to promote a culture of transparency and accountability.
- Review your current process, what data you capture and why
Make sure all contracts with third parties are suitable for GDPR. If you transfer data internationally, ensure that processes are consistent across regions.
- Implement responsibility and accountability measures
Decide if you need to appoint a data protection officer. Consider the legal basis for capturing the data. Review your privacy notices. Design and test a data breach incident procedure. Think about what new projects could need a Data Protection Impact Assessment.
- Prepare for individuals to exercise their rights
Check your policies, controls and procedures to ensure they cover all the rights individuals have, including:
i. Access to their data
ii. Efficient correction of mistakes
iii. Erasure of information
iv. Prevent direct marketing, automated decision making and profiling
v. Data portability - On request, provide the data electronically and in a specified format
- Consider Security
Actively address security vulnerabilities and cyber risks.
- Implement training
Employees are your best defence and greatest potential weakness. Ensure you have regular training sessions, with mandatory refresher training
Even at this late stage, demonstrating to the ICO that you’re taking action is better than not taking action at all.
Helen Dann is Co-Founder and Head of Customer Success at RequirementONE, and loves nothing more than helping our customers simplify their day-to-day job.
Sign up for a free trial today and find out how we can help you manage your GDPR processes.