With the deadline for General Data Protection Regulation (GDPR) well behind us, UK businesses need to know how to be compliant, and fast!
25th May seems a long time ago but firms nationwide are still wondering: are we GDPR compliant?
We’re keen to help you out with this so, as part of our series on GDPR for Businesses, we share a few tasks that can help ensure you are compliant with the new data protection rules governing the EU marketplace. If you want to full in-depth GDPR rundown, head to our GDPR guide here.
Identify Stakeholders Affected by GDPR
First things first, your stakeholders need to understand the impact that GDPR can have on a company. Whilst data protection has surely been addressed previously in-house under the Data Protection Act of 1998, the new law means you’ll now have to identify which personnel need to be aware of GDPR and its implications.
This is a good time to create a list identifying all crucial stakeholders in your company, put GDPR on their radar, and ensure they evaluate the consequences of GDPR as it pertains to areas they are responsible for.
Put Someone in Charge of GDPR Compliance
If you carry out significant levels of monitoring on data subjects, process data pertaining to special categories (i.e. criminal offences), or are a public authority, you must appoint a Data Protection Officer (DPO). Firms should also take care to determine where the DPO will sit within the organisation’s structure and governance charts. The Information Commissioner’s Office (ICO) actually recommends that all businesses regardless of size designate a DPO as best practice.
Determine Any Other Authorities to Report to
Do you process data from a single spot (i.e. the UK)? Perhaps there are branch offices in Berlin, Warsaw or Rome that process their own data on behalf of the company. If so, you need to properly identify the governing bodies that all data protection officers need to report to.
Audit and Update Data Protection Practices
The biggest part of GDPR compliance is auditing your current data protection practices. Following these steps can help you get off to the right start with your audit:
1. Surveying All Data You Currently Hold
This is the best place to start when you audit your practices regarding data protection. If the data you hold on subjects met the old laws, this is a good time to review if it now meets GDPR regulations as well.
2. Reviewing All Privacy Notices You Broadcast
GDPR affects any privacy notices that you publish on your website. One area of concern includes a fully compliant policy that identifies the lawful basis for processing the subject’s data. You likely have a Data Protection notice already as part of the Data Protection Act but this now needs updating to a new GDPR Data Privacy Assessments (DPIA) within your business.
3. Ensure You Can Comply with Data Requests
GDPR is meant to protect the rights of the individual; the onus is on businesses to meet those standards. To comply with GDPR you must be flexible on how data is sent to data subjects as part of their request. It is no longer good enough to just send it, your process must be flexible enough to send data in the format that the subject requests it, and this must be sent securely.
4. Review Your Consent Mechanisms
Under GDPR, there exists a requirement for companies to secure consent to process data. You’ll need to understand that, in gaining the consent of the data subject, you have been “specific, granular, clear, prominent, opted into, documented and can be easily withdrawn.” This includes double opt-in. For more information on this, take a look at our in-depth blog post on the subject of consent and opt-in.
5. Ensure You Have Parental Controls in Place
Can you currently verify a person’s age in your data collection activities? Check your policy on this against current GDPR rules and make sure you can obtain parental/guardian consent where necessary.
6. Handle Data Requests and Breaches Responsibly
When you handle data requests from a subject, you need to ask some crucial questions about your procedures:
- What will you do when a subject wants access to their data?
- What will you do if they ask for their data to be removed?
- Do you have procedures to detect and investigate a breach?
- How will you report it to the proper authorities?
The Price of Not Complying Has Gone Up
GDPR compliance can seem monumental, and the penalties for getting this wrong have significantly increased since the deadline. NCC Group analysis revealed that TalkTalk’s £400,000 fine in 2016 would’ve been £59 million under GDPR.
Therefore, it’s clear that understanding and implementing the GDPR regulations needs to become an essential part of your agenda.
Take the first steps by downloading our official GDPR Toolkit for Businesses today.