GDPR – your last-minute checklist!
17th May 2018
On 25th May, the new EU General Data Protection Regulation will come into full effect, meaning that companies that do not take data protection seriously could face huge fines.
With the deadline only one week away, most businesses have been working on an extensive action plan to make sure they are compliant. But with so much to consider, here is a final checklist outlining the most important areas that need to be considered and some last-minute tips to help your business become GDPR compliant.
#1 Have you completed an end-to-end data assessment?
A company-wide data audit must be undertaken to identify every location where sensitive personal information is either located, processed, stored or transmitted. This includes customer and sales management tools, data capture systems linked to your website, marketing databases, connected cloud applications such as Dropbox, third parties and external IT suppliers.
You need to have a full understanding of your business’s personal data and the workflows associated with that data. Article 4 of GDPR defines “personal data” as any information related to an identified person - this may include names; ID numbers; job titles; location; online identifiers; and physical, genetic, economic, cultural, or social identities.
Any data that is deemed unnecessary and not essential for business reasons must be deleted to ensure compliance with the regulation.
#2 Can you identify and monitor Privileged Users?
Once you know what and where the sensitive information is, you also need to know who has access to it, especially the Privileged Users - these are the people that have access to more information than the average employee.
Your business must have controls in place to monitor and manage the accessing of this data and be able to identify and halt any behaviour that could put you at risk of noncompliance.
#3 Do you have a Data Breach response plan in place?
If a data breach is discovered, under the new regulations, you need to have the right procedures in place to detect the issue, report it to the ICO within 72 hours and investigate fully.
The main purpose of a data breach response plan is to find out the impact of the breach and whether sensitive data was compromised. It should contain measures that can be quickly implemented to curb and prevent further breaches. Using professionally managed cloud-based systems can be a great asset for these eventualities.
#4 Have you updated and communicated your Privacy Policy?
Under the GDPR there are some additional areas you will need to cover under your organisation’s Privacy Policy or Notice. These include an explanation on your lawful basis for processing their data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
#5 Do you have a data erasure solution in place?
With GDPR, individuals will have enhanced rights to access their information, you should be able to have inaccuracies corrected, information erased, stop direct marketing information delivery and automated data collection with personal information within a short time frame – meaning you must know how and where the data is stored.
If requested, the customer’s data should be erased by a professional software so that not only are you are confident it has been fully deleted, but also that proof can be provided if necessary.
#6 Does your business have a Data Protection Officer?
Within your business, one person should be designated to take responsibility for data protection compliance. It is important to identify where this role will sit within your organisation’s structure and governance arrangements.
This must be a formal role if you are:
- a public authority (except for courts acting in their judicial capacity);
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
It is most important that someone in your business, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.
Professional help and guidance with GDPR
If you are concerned about any of these areas and would like professional guidance on GDPR get in touch now to talk to us about how we can help.
