GDPR Checklist: Is Your Business Compliant?
With the GDPR deadline a distant memory, if you’ve not yet thought about how you can be compliant, now is the time.
If you aren’t already compliant, you’ve missed the deadline and are at serious risk of incurring a fine from the ICO. Since the deadline was back in May 2018, there is real urgency for businesses to get compliant immediately. To get started, you’ll need to have a firm understanding of what GDPR is and what it means for your business.
Here’s a checklist of everything you need to tick off to get GDPR compliant:
The number one thing to ask yourself is: what is your awareness of GDPR like? GDPR awareness is often thought of as a spectrum. Some business people know it inside and out, while others have a scarce awareness at best.
In essence, GDPR is the result of four years work undertaken by the EU to align data protection regulations with the ways in which data is used today.
It comes after much deliberation, and the decision that the old GDPR legislation did not account for today’s technology.
Tougher, more up-to-date laws will succeed existing laws, as laid out in the Data Protection Act 1998. The new GDPR legislations have introduced tougher fines for breaches and cases of non-compliance, and will also give individuals more input into what companies can do with their data.
In other words: do you know who governs your GDPR practices?
It’s vital that you know who oversees this area. We’ll explain it in brief here.
There are governing bodies within each EU member state that are in charge of regulating compliance. These governing bodies will be who you report any data breaches to. You are also able to turn to them for wider GDPR guidance.
If you only control and process data from offices based in the United Kingdom, your governing body for GDPR compliance is the Information Commissioner’s Office.
Elsewhere – from other EU member states – you can find a selection of data authorities who govern each and every EU state here.
Internally, you need to assign this responsibility to what is called a Data Protection Officer (DPO). Whilst this is only mandatory for public authorities and companies involved in large scale monitoring of individuals, the ICO recommends it as best practice for most large businesses.
The good news is that this part is fairly easy and straightforward. You can choose any current trusted and reliable employee, and train them to become a certified DPO.
Here’s a little more on the kinds of work a DPO will undertake:
- A DPO will be expected to spread awareness of GDPR, and to guide the organisation on its way to being compliant.
- A DPO will also be responsible for monitoring compliance, and keeping an eye on internal data, training staff and being the first port of call for everyone and anyone.
There is no room for ambiguity here. Consent needs to be explicit, clear and affirmative. Under the old ruling, pre-ticked boxes or opt-outs were standard, but that is no longer acceptable under the new legislation.
Your company must keep a record of how and when an individual gave consent. Note that the individual has the right to withdraw their consent at any stage of the process. They also have the right to know more about how their information is being used.
As with everything in GDPR, there is no room for error, misunderstanding or ambiguity. Identifying where the new regulation is subtly redefining concepts, such as personal data, is key.
Article 4 of the legislation states that personal data means any information relating to an identified or identifiable natural person. It also adds:
"An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
One of the biggest changes is that personal data will now include digital identifiers such as IP addresses and mobile device identification.
While the UK is leaving the European Union, GDPR took effect long before the legal consequences of Brexit can have any effect.
Quoting one Karen Bradley, Secretary of State for Culture, Media and Sport:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR, and then look later at how best we might be able to help British businesses with data protection while maintaining high levels of protection for members of the public.”
It helps by clearly understanding just what a data breach is. Here’s a definition, courtesy of our GDPR governing body the ICO.
“A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data”.
In the event of this, you need to report to your governing body (in the UK, the above ICO). Reporting must happen if there is a high risk to the rights and freedoms of individuals.
An unaddressed breach can pose significant problems for staff and the company as a whole, from discrimination or financial loss and damage to respect, all the way to the loss of confidentiality and the related economic or social disadvantages that come with that.
These are just a few areas of GDPR compliance you should be thinking about. In terms of what you have to do to market responsibly by May 2018, our GDPR Guide for Businesses has all you need to know.
The toolkit also contains a comprehensive checklist expanding upon the points we’ve just covered. You’ll be able to tick off each and every area to ensure your business reaches compliance.
Remember the deadline is long gone, so get started today or risk the fine from the ICO!