of your processing activity ( i . e . why you ’ re allowed to collect information under data protection law ), and the GDPR also wants you to change the way in which you collect the data ( preticked “ optin ” boxes are now banned ).
You ’ ll also have to compare your personal data use with the GDPR ’ s statement of rights for individuals . The GDPR contains the same rights as the current legislation ( but with enhancements ) and new rights for specific situations , such as the right to data portability .
Testing your compliance against the GDPR will involve you reviewing your documents and policies . You ’ ll need to check the privacy notices and data consent forms you use to collect personal data . Also the terms of contracts you have with anyone who provides personal data to you , and contracts you have with anyone to whom you supply personal data . You ’ ll want to check any written data protection policy statements you have in place . In terms of policy you ’ ll want to check your procedures for handling data access requests from data subjects , your information security procedures and your procedures for handling any data incidents and complaints .
STAGE 3 : WHAT DO YOU DO TO COMPLY ?
At the end of step 2 , you should be able to document clearly what your organisation needs to do to meet the GDPR . And then you need to do it .
The initial work may be extensive , but is practical and straightforward . You update your contracts , policies , privacy notices and consent forms as required . You consolidate your data protection procedures , and you centralise data storage and appropriate access if the dataflow audit demonstrates compliance breach . You take the extra steps required by the GDPR : publishing the lawful basis of your processing activity , as referred to above , and reviewing your processes for data use to establish whether you can introduce “ privacy by design ” measures .
As well as taking these steps , you will have to document that they have been taken . You must demonstrate procedures which your staff and contractors follow in their use of personal data , and if there ’ s a data breach . You will also have to consider whether you need to appoint a data manager . In certain types of business the GDPR requires a formal designation of a Data Protection Officer .
However , every business should designate a person who takes responsibility for data protection and for monitoring your business ’ compliance with the GDPR . This is not a token role : the individual concerned should be tasked with , and report on , your use of personal data . It ’ s another aspect that you now have to actively demonstrate to the ICO .
To the lawyer , the steps so far sound clear and tangible . I suggest there ’ s an equally important but more intangible requirement for your business : cultural change .
GDPR compliance now has to become a monitoring issue on every company ’ s risk register : it ’ s an area of significant reputational , operational , legal and regulatory risk .
GDPR compliance should be an item on management team meetings from now until May 2018 . A separate group would ideally be set up to supervise audit , and to ensure that compliance gaps are all plugged – the group would meet at least monthly , with the identified data manager overseeing its performance and reporting to management / the board periodically .
It ’ s a question of education and buyin , at every level of your business . From May 2018 every one of your employees needs to regard data protection compliance as an issue to be respected and understood .
CONCLUSION
The difference between the GDPR and the current legislation is that current law makes data protection a nebulous risk area which is at best an annoyance – the GDPR will make data protection the norm .
Is the GDPR a burden ? Certainly , at least at first , for the many organisations who
traditionally pay lipservice to data protection laws , or who wait until there ’ s a data protection problem before taking steps to comply . And the ICO recognises the burden , but correctly points out that the public is increasingly interested in data rights : if a company can demonstrate that it is fully GDPR compliant , the ICO believes that this will be of significant marketing advantage .
This article is a swift summary of GDPR compliance steps : watch this space for more detailed articles on each of the three stages described above .
But , in any case , don ’ t despair : you still have time to act . The ICO will be much more lenient with a business which has started to take all the necessary steps than one which has taken no steps at all …
www . businessfirstonline . co . uk
17