9 quick tips to help your business achieve GDPR compliance
Last updated on April 15th, 2020
On the 25th of May 2018, the General Data Protection Regulation (GDPR) officially came into force. The new regulation from the EU, which was four years in the making, aimed to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data.
With the maximum fine for failing to comply with GDPR being 20 million Euros or 4% of yearly global turnover, it’s imperative that a business complies with the regulations if they want to remain extant.
Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK still need to comply with GDPR. The regulations apply to any organisation who processes the personal data of EU citizens, even if the organisation itself is not in the EU.
Despite organisations being given a two-year transition period to prepare for the start of the GDPR, and the legislation having come into effect many businesses have made no effort to become compliant.
As GDPR builds on the regulations outlined by the 1998 Data Protection Act. Many businesses may mistakenly believe that if they were DPA compliant they will be GDPR compliant. But there are several major differences between the two.
Below we’ve outlined some quick tips for compliance. We recommend that organisations ensure that have achieved compliance if they want to avoid the heavy fines that can result.
1. Appoint a Data Protection Officer (DPO)
Somebody within the firm must hold the role of Data Protection Officer. They don’t have to be a full-time employee and they can be outsourced to a third party, but it’s mandatory that all organisations that process or store customer data have one under GDPR.
2. Know how you can use data
You will likely store personal client data on file and throughout different IT systems. Under GDPR it’s imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.
3. Make people aware
All key decision makers and management within the firm should understand the full implications of GDPR. We’ve compiled the five most important details that CIOs to know here and there is a wealth of information about GDPR on the official European Comission website.
4. Data on children
There’s a big focus on data held about children within GDPR. You need to know how you verify the ages of individuals and how you will get parent/guardian consent for the processing of children’s’ data.
5. Ensure your data processors are up to speed
It’s worth taking the time to assess every service provider and individual who processes personal data for you. It’s important they fully understand the changes that have come along and that they are taking responsibility for them. Training would likely be beneficial and it’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and to deal with any required remedial action.
6. Understand your client’s rights
The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc.
The right to data portability is completely new so it’s worth taking another look the clients rights then going over each of these before to ensure your policies and procedures are compliant.
Assessing how you delete data and how you present it on demand, i.e. what document format are also worth considering.
7. Review consent and fair processing policies
The GDPR goes beyond legacy requirements around information that must be provided to data subjects when requesting consent to process personal data. The processes and protection already in place is no longer applicable under GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how you will use the data, don’t make any assumptions. Silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.
8. Prepare for a data breach
Even with GDPR in full swing many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm needs to know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a bad situation even worse.
9. Use technology for automation
Many firms will typically have systems in place to assist in performing compliance and risk checks and the same or a similar system can be used to ensure GDPR compliance. It’s worthwhile speaking to the vendors you’re using about how they can assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. Afterall, the more you can automate, the less risk there is for something to drop through the net.
What is IT outsourcing?
IT outsourcing is the practice of using an external service provider to deliver some or all of the IT functions required by a business including managing infrastructure, directing strategy and running the service desk. IT outsourcing providers can take full responsibility for all IT maintenance and support, this is called a fully managed service, or […]
IT in 2013: What the year has in store
1. The rise of Microsoft The market in 2013 will see the rise of a whole host of new Microsoft technologies and systems. From Windows 8, Server 2012 and Exchange 2013, through to SharePoint 2013 and the Surface tablet device. No one integrates better than Microsoft, so when they put their mind to it they can […]
7 legal technology trends for 2015
In terms of technology, process and systems the legal industry is changing more rapidly than any other sector. It has a lot to get to grips in a short space of time, far shorter than many may believe. Larger global firms have mostly begun to change, but it’s now the turn of the small and […]