9 quick tips to help your business prepare for GDPR
25 July 2017
10 months from today the General Data Protection Regulation (GDPR) will officially come into force. The new regulation from the EU, which has been four years in the making, aims to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data and levying strict financial penalties on those who fail to comply.
Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK will still need to prepare for GDPR. The regulations will apply to any organisation who processes the personal data of EU citizens, even if the organisation itself is not in the EU.
Organisations were originally given a two-year transition period to prepare for the start of the GDPR, however, as the deadline grows ever closer many are still under-prepared. As the GDPR builds on the regulations outlined by the 1998 Data Protection Act there is no doubt that organisations will already comply with certain aspects, but there are a number of new restrictions to be aware of. Below we have outlined some quick tips for compliance, and we recommend that organisations start to prepare for GDPR sooner rather than later.
Quick tips to prepare for GDPR
1. Appoint a Data Protection Officer (DPO)
Somebody within the firm will need to hold the role of Data Protection Officer. This doesn’t have to be a full-time person necessarily and it doesn’t need to be someone in your company. You can outsource the role to a third party if you require.
2. Know how you can use data
You, of course, will store personal client data on file and throughout different IT systems. It’s now imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.
3. Make people aware
All key decision makers and management within the firm should understand that the law is changing. They should really understand how GDPR is being implemented and what effects it is going to have.
4. Data on children
There is a real focus on data held about children within GDPR. You should be looking into how you verify the ages of individuals and how you will get parent/guardian consent for the processing of children’s’ data.
5. Ensure your data processors are up to speed
Take the time to assess every service provider and every individual who processes personal data. It’s important they fully understand the changes that are coming down the line and take responsibility for them. Training would likely be beneficial and it’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and to deal with any required remedial action.
6. Understand your clients’ right
The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc. The right to data portability is new so should read into before changing policies and procedures. Also, assess areas like how you delete data and how you present it on demand, i.e. what document format. At the end of the day, what are the legal grounds for holding client data?
7. Review consent and fair processing policies
The GDPR goes beyond current requirements around information that must be provided to data subjects when requesting consent to process personal data. The processes and protection already in place will not be applicable with GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how you will use the data, don’t make any assumptions. Silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.
8. Prepare for a data breach
Still to this day so many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm must know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a bad situation even worse.
9. Use technology for automation
Law firms will typically have systems in place to assist in performing compliance and risk checks. You should speak to the vendors of the systems you already use about how they are going to assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. The more you can automate the less risk of something dropping through the net. It’s all about the workflow.