If you run a business, school or charity, the GDPR will probably be on your radar by now. Although preparing for the new rules may seem like a daunting task, it doesn’t have to be.
When it’s introduced on 25 May 2018, the General Data Protection Regulation (GDPR) will apply to all UK businesses that handle personal data. As a result, every organisation that collects, processes or stores personal data should be taking steps now to ensure it can achieve compliance.
Here are our top 10 practical tips to get ready for the GDPR:
1. Fully understand why you collect and hold data. The GDPR requires you to give more information to individuals explaining how their data is used – you can only do this if you understand the reason why you collected and hold it in the first place.
2. Stop collecting data you don’t have a legitimate need for – addressing point 1 should help you identify where changes can be made.
3. Update your privacy notices to provide the additional information required by the GDPR.
4. Treat data such as IP addresses and other online identifiers as personal data.
5. Review your consent practices to bring them in line with the GDPR’s standards. Many organisations we talk to are relying on consent when they don’t need to – could you be doing the same?
6. Train staff on the enhanced data rights given to individuals by the GDPR. All staff should be aware of key changes, such as no longer being able to charge for responding to subject access requests.
7. Assess how long you retain data for, and how you store and secure it. The GDPR doesn’t necessarily require you to change your practices on these points, but you shouldn’t hold on to personal data for longer than you need to, and it needs to be kept secure.
8. Amend all of your data contracts. Even if they comply with the current law, they will need to meet additional requirements introduced by the GDPR.
9. Speak to any suppliers who process personal data for you in other jurisdictions (particularly those outside of the EEA). Additional requirements are being introduced when using data service providers outside of Europe, and your suppliers should be aware of these changes by now.
10. Keep records of what you are doing to prepare for the GDPR. Organisations will need to evidence their compliance with the legislation, under a new “accountability” concept included by the GDPR.
Although a few of the finer details of the GDPR are yet to become clear, ticking the above should ensure that you are as prepared as possible for the new data protection regime. If you’ve already started to tick these off, you can find out how compliant your organisation is by using our GDPR health check tool.
If you need some extra support, we have also devised a GDPR compliance-ready solution to help you become compliant by the May 2018 implementation date. No matter what stage your organisation is at, this solution works with you through six key stages.
For further information on the GDPR compliance-ready solution or the GDPR generally, please contact James Boyle.