9 quick tips to help your business achieve GDPR compliance
July 25th, 2017
On the 25th of May 2018, the General Data Protection Regulation (GDPR) officially came into force. The new regulation from the EU, which was four years in the making, aimed to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data.
With the maximum fine for failing to comply with GDPR being 20 million Euros or 4% of yearly global turnover, it’s imperative that a business complies with the regulations if they want to remain extant.
Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK still need to comply with GDPR. The regulations apply to any organisation who processes the personal data of EU citizens, even if the organisation itself is not in the EU.
Despite organisations being given a two-year transition period to prepare for the start of the GDPR, and the legislation having come into effect many businesses have made no effort to become compliant.
As GDPR builds on the regulations outlined by the 1998 Data Protection Act. Many businesses may mistakenly believe that if they were DPA compliant they will be GDPR compliant. But there are several major differences between the two.
Below we’ve outlined some quick tips for compliance. We recommend that organisations ensure that have achieved compliance if they want to avoid the heavy fines that can result.
9 tips for GDPR compliance
1. Appoint a Data Protection Officer (DPO)
Somebody within the firm must hold the role of Data Protection Officer. They don’t have to be a full-time employee and they can be outsourced to a third party, but it’s mandatory that all organisations that process or store customer data have one under GDPR.
2. Know how you can use data
You will likely store personal client data on file and throughout different IT systems. Under GDPR it’s imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.
3. Make people aware
All key decision-makers and management within the firm should understand the full implications of GDPR. We’ve compiled the five most important details that CIOs need to know here and there is a wealth of information about GDPR on the official European Commission website.
4. Data on children
There’s a big focus on data held about children within GDPR. You need to know how you verify the ages of individuals and how you will get parent/guardian consent for the processing of childrens’ data.
5. Ensure your data processors are up to speed
It’s worth taking the time to assess every service provider and the individuals who process personal data for you. It’s important they fully understand the changes that have come along and that they are taking responsibility for them. Training would likely be beneficial and it’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and to deal with any required remedial action.
6. Understand your client’s rights
The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc.
The right to data portability is completely new so it’s worth taking another look at the clients’ rights then going over each of these before to ensure your policies and procedures are compliant.
Assessing how you delete data and how you present it on demand, i.e. what document format are also worth considering.
7. Review consent and fair processing policies
The GDPR goes beyond legacy requirements around information that must be provided to data subjects when requesting consent to process personal data. The processes and protection already in place are no longer applicable under GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how you will use the data, don’t make any assumptions. Silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.
8. Prepare for a data breach
Even with GDPR in full swing, many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm needs to know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a bad situation even worse.
9. Use technology for automation
Many firms will typically have systems in place to assist in performing compliance and risk checks and the same or a similar system can be used to ensure GDPR compliance. It’s worthwhile speaking to the vendors you’re using about how they can assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. After all, the more you can automate, the less risk there is for something to drop through the net.
How can law firms reduce the risk of cloud services
Rapid change within the legal sector nationally and internationally has made many firms look to the cloud for solutions. In times of turbulence, legal firms and, in fact, other businesses look for change, to get an edge over the competition, to pick up that golden chalice dangled in front of their noses by a smart […]
Chris White joins the QuoStar Board
QuoStar, the specialist business and IT consultancy, has today announced that Chris White is joining its board as a Non-Executive Director. Chris joins QuoStar as a sector expert with vast experience across the financial and legal services sectors. As a board-level specialist in professional services, Chris’s focus at QuoStar will be to help enhance the […]
QuoStar achieves ISO 20000 certification
QuoStar Solutions, the IT consultancy and outsourcing provider, has today announced that it has been awarded ISO 20000 certification. The international standard recognises the highest level of service quality for clients and facilitates continual improvement; both of which align with QuoStar’s business strategy and ethos. Based on ITIL (IT Service Information Library), ISO 20000 was given […]