of your processing activity( i. e. why you’ re allowed to collect information under data protection law), and the GDPR also wants you to change the way in which you collect the data( preticked“ optin” boxes are now banned).
You’ ll also have to compare your personal data use with the GDPR’ s statement of rights for individuals. The GDPR contains the same rights as the current legislation( but with enhancements) and new rights for specific situations, such as the right to data portability.
Testing your compliance against the GDPR will involve you reviewing your documents and policies. You’ ll need to check the privacy notices and data consent forms you use to collect personal data. Also the terms of contracts you have with anyone who provides personal data to you, and contracts you have with anyone to whom you supply personal data. You’ ll want to check any written data protection policy statements you have in place. In terms of policy you’ ll want to check your procedures for handling data access requests from data subjects, your information security procedures and your procedures for handling any data incidents and complaints.
STAGE 3: WHAT DO YOU DO TO COMPLY?
At the end of step 2, you should be able to document clearly what your organisation needs to do to meet the GDPR. And then you need to do it.
The initial work may be extensive, but is practical and straightforward. You update your contracts, policies, privacy notices and consent forms as required. You consolidate your data protection procedures, and you centralise data storage and appropriate access if the dataflow audit demonstrates compliance breach. You take the extra steps required by the GDPR: publishing the lawful basis of your processing activity, as referred to above, and reviewing your processes for data use to establish whether you can introduce“ privacy by design” measures.
As well as taking these steps, you will have to document that they have been taken. You must demonstrate procedures which your staff and contractors follow in their use of personal data, and if there’ s a data breach. You will also have to consider whether you need to appoint a data manager. In certain types of business the GDPR requires a formal designation of a Data Protection Officer.
However, every business should designate a person who takes responsibility for data protection and for monitoring your business’ compliance with the GDPR. This is not a token role: the individual concerned should be tasked with, and report on, your use of personal data. It’ s another aspect that you now have to actively demonstrate to the ICO.
To the lawyer, the steps so far sound clear and tangible. I suggest there’ s an equally important but more intangible requirement for your business: cultural change.
GDPR compliance now has to become a monitoring issue on every company’ s risk register: it’ s an area of significant reputational, operational, legal and regulatory risk.
GDPR compliance should be an item on management team meetings from now until May 2018. A separate group would ideally be set up to supervise audit, and to ensure that compliance gaps are all plugged – the group would meet at least monthly, with the identified data manager overseeing its performance and reporting to management / the board periodically.
It’ s a question of education and buyin, at every level of your business. From May 2018 every one of your employees needs to regard data protection compliance as an issue to be respected and understood.
CONCLUSION
The difference between the GDPR and the current legislation is that current law makes data protection a nebulous risk area which is at best an annoyance – the GDPR will make data protection the norm.
Is the GDPR a burden? Certainly, at least at first, for the many organisations who
traditionally pay lipservice to data protection laws, or who wait until there’ s a data protection problem before taking steps to comply. And the ICO recognises the burden, but correctly points out that the public is increasingly interested in data rights: if a company can demonstrate that it is fully GDPR compliant, the ICO believes that this will be of significant marketing advantage.
This article is a swift summary of GDPR compliance steps: watch this space for more detailed articles on each of the three stages described above.
But, in any case, don’ t despair: you still have time to act. The ICO will be much more lenient with a business which has started to take all the necessary steps than one which has taken no steps at all …
www. businessfirstonline. co. uk
17