Tomorrow, the General Data Protection Regulation (GDPR) will come into force. The main principles of the GDPR are similar to the current Data Protection Act 1998, so this will form a good basis for compliance. However, there are new elements to the GDPR, so new procedures relating to how data is stored, managed and processed may need to be put in place.
By now, many companies should be well underway to becoming compliant with the new regulation. However, if you have yet to start, then we have put together our top ten tips for surviving GDPR.
Top survival tips
1 – Data Inventory Audit
As soon as possible, you should carry out a data inventory audit. You as a company need to understand what data you hold, for what purpose and for what legal basis. This will allow you to quickly highlight key areas that need addressing.
2 – Legitimate Interest (LI) Assessment
If you as a company wish to rely on LI as the legal basis for using the personal data, you will need to demonstrate that you have fairly considered the processing operation and balanced the necessity of the operation with the rights of the individual.
3 – Update Privacy Notices
You must make sure this is brought in to line with the necessary GDPR standards. You should ensure the notices contain all the requisite additional information.
4 – Amend Data Contracts
Ensure that all agreements concerning the processing, using and storing of personal data are compliant with the GDPR. Whether you are a controller or processor, you will be liable for breaches.
5 – Software check
Check, change and/or upgrade existing software, patches, firewalls and digital security measures. The easiest way to fall foul of the GDPR is allowing an easy hacking target. You must also do this check for any processors you use.
6 – Subject Access Request Policy
In order to avoid the ‘ambulance chasing’ data opportunists, prepare a robust policy for how to deal with these requests. Ensure you are able to identify, respond and fulfil these requests in an effective manner.
7 – Record Keeping
Produce and maintain records of your progress towards GDPR compliance. Under the new regulation, you will be required to produce evidence in order to establish compliance. It will also help you plan and track your progress.
8 – Appoint Data Protection Officer
For some businesses, it is an obligation to appoint a Data Protection Officer (DPO). Even if this is not a requirement for your business, you may still think it is worthwhile appointing one as a DPO can help drive your company towards compliance and ensure personal data is being treated appropriately.
9 – Data Protection By Design
As well as assessing and adapting existing practices, you are obliged to implement appropriate technical and organisational measures to prove that you have carefully considered and properly integrated data protection into your present and future processing activities.
10 – Data Breach Policy & Procedure
It is critical you establish a vigorous breach detection, investigation and internal reporting procedure. This will allow you to effectively identify, resolve and report personal data breaches. Companies are only afforded a 72 hour window to report the breach from becoming first aware of it. It is therefore evident that a thorough procedure is essential.
We have a team of expert GDPR lawyers who can help your business. Our team have put together a must-read GDPR business guide, which is freely available to download via our Insight legal resources on our website by clicking here.
James Simpson, our lead GDPR Partner, is also qualified to act as your Data Protection Officer (DPO), should your business fall within the threshold for this GDPR requirement. If you are interested in speaking with our team to discuss how they might be able to help you, then please contact us today on 020 3814 2020.