10 First Steps To GDPR Compliance
More and more businesses are becoming aware that the EU is now enforcing the General Data Protection Regulation across Europe. Organisations within the EU should be doing all they can to become compliant and remain compliant. Organisations outside of the EU who store and manage the personal data of EU citizens will also need to be compliant with the Act.
So, a few months have now passed and although awareness is growing, there are still businesses who haven’t even begun to look at their data protection policies. Is that you?
The Information Commissioner’s Office (ICO) will consider your organisation’s efforts to comply with GDPR when assessing any breaches that may occur, or when issuing penalties. It’s time for you to reassess your procedures and policies and begin your own journey to compliance.
To get you started, we’ve produced a guide to the steps you need to take now. It’s our 10 steps to compliance. If you’ve only just started to think about GDPR and it’s affect on your business, your staff and your clients – get started today and become GDPR compliant.
Ok, so first things first.
To kick start the process, you have to take a good look at where you are now.
- List the types of personal data you hold i.e. names, addresses, phone numbers, etc.
- List the sources of that data
- Do you have existing policies?
- How do you store personal data, documents etc
GDPR requires you to establish a legal basis for collecting data.
Determining how and why you use data will make it easier to communicate your policies to your customers, clients, staff etc.
- Why are you storing personal data?
- How are you obtaining personal data?
- Why was it originally obtained?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share personal data with third parties, and on what basis do you share it?
Time to review those out of date policies – if you have any!
Organisations should write clear privacy and consent policies that are available on their websites. Need help with this – you’re in luck, that what DytaPro are here for!
Clear communication will help you build long-term customer and supplier trust in your organisation.
Data subjects have a number of rights relating to the way organisations collect, store and hold their data. These include:
- The right to be informed
- The right to to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
When collecting personal data from staff, clients or service users, you need to inform them of their rights.
Here’s a video with David explaining communication:
5. LEGAL GROUNDS
Organisations need to prove that they have a legal ground to process data.
Examples of legal grounds are:
- Legitimate interests
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
It is no longer acceptable to believe you have consent to store and process personal data by default. Organisations must explicitly obtain consent and GDPR has toughened the rules for getting and keeping consent.
The main difference is that personal data must be obtained in a way that leaves no room for misinterpretation. This means it must be provided in a clear statement – whether written or spoken.
If you have staff, educating them to the implications of GDPR on their work and your organisation as a whole is super important.
Training your staff will improve your organisation’s chances of becoming compliant and minimises the risk of a data breach.
Involving executives and senior members of staff in your organisation, is key to becoming compliant. Their involvement will help identify the areas that may be at risk.
You are required to appoint a DPO, a Data Protection Office, with the responsibility for data protection compliance. The DPO must have the right knowledge, support and authority to carry out their duties effectively. Joining DytaPro will make this process so much easier!
Plan for a Data Breach. It may never happen but you must be prepared.
Organisations must report data breaches to the ICO within 72 hours of discovery. Any loss in non-encrypted personal data must also be communicated to the data subjects involved.
With DytaPro, this process is made easier and our automated system will generate the information you need to send to the ICO at the click of a button.
10. data protection impact assessment
It is vital that you adopt a privacy-by-design approach to data protection. To do this, you will need to conduct a data protection impact assessment (DPIA) before undertaking new projects or initiatives.
DPIAs are mandatory for certain organisations in cases where a new technology is being deployed, a profiling operation is likely to affect customers.
So there you have it – the first 10 steps to compliance. DytaPro is here to help you with these first steps and beyond.
DytaPro was founded to help small businesses achieve GDPR compliance, gain peace of mind without having to pay excessive prices that some of our competitors are charging and have the confidence to enter new markets as a result of their efforts to comply with the law.
Join here, see you on the inside.