GDPR guide: Preparing for the new changes
By now many businesses would have already heard about the new General Data Protection Regulation legislation. But knowing is only half the battle. That’s why we’ve put together this GDPR guide.
In our previous article ‘GDPR: Do you know about the change?’ we spoke about the new legislation, coming into effect in 2018, and what GDPR means for business. The law will significantly change the ways in which companies can store personal data and as such it is strongly recommended that businesses begin the task of establishing new processes now.
To assist you with getting started, our GDPR guide can be found below. If you missed the last GDPR post, find it here.
GDPR Guide – Understand the change that is coming:
Do as much reading as you can to understand precisely what change is coming.
The best place to start is right here. As well as this GDPR guide, read our first article ‘GDPR: Do you know about the change?’ and stay updated with us on Twitter and LinkedIn for the third, and then go from there.
The implementation time for the new legislation, (it was passed in 2016 but won’t come into effect until 2018), means that failure to comply because you didn’t understand the change was coming is unlikely to be accepted. Furthermore, the penalties for failing to comply are going to be high – fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher. This high level of financial penalty could have a serious impact on the future of a business.
Understand the data that you currently have:
You need to examine the personal data that you currently hold, where you store it and why you are keeping it. Come the launch of the legislation in 2018, you will need to have all these details in place. Doing this will ensure that you comply with GDPR’s accountability principle which states that organisations can show how they comply with the legislation if requested to do so.
If you cannot meet the requirements, for example if you cannot demonstrate why you are holding personal data, then you must get rid of the data before the legislation comes in effect or you will be in breach.
You will need controls in place:
Article 24 of the GDPR states that you need to have clear processes in place for how you store data. If your business is already compliant with ISO 27001, the information security standard, then you will probably have many of the required stated processes in place, but if you don’t then it is likely that you will have a lot of work to do to put these in place.
Do you need a data protection officer?
Public authorities and companies who handle large amounts of data need to hire a data protection officer to comply with the legislation. That person needs to be in place for the launch of the legislation on 25 May 2018, so it’s best to start the recruitment process sooner rather than later.
Identifying data breaches:
One of the main requirements under GDPR is that you are legally bound to notify the ICO when a breach occurs. As such, you need to make sure you have in place the procedures to detect, report and investigate a data breach as soon as it happens. Fail to notify of a breach and you can be penalised.
These are just a simple few steps to get started. In next week’s article, we will consider the role of the data protection officer, who needs to employ one and what their key duties will be.