9 quick tips to help your business achieve GDPR compliance

On the 25th of May 2018, the General Data Protection Regulation (GDPR) officially came into force. The new regulation from the EU, which was four years in the making, aimed to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data.

With the maximum fine for failing to comply with GDPR being 20 million Euros or 4% of yearly global turnover, it’s imperative that a business complies with the regulations if they want to remain extant.

Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK  still need to comply with GDPR. The regulations apply to any organisation who processes the personal data of EU citizens, even if the organisation itself is not in the EU.

Despite organisations being given a two-year transition period to prepare for the start of the GDPR, and the legislation having come into effect many businesses have made no effort to become compliant.

As GDPR builds on the regulations outlined by the 1998 Data Protection Act. Many businesses may mistakenly believe that if they were DPA compliant they will be GDPR compliant. But there are several major differences between the two.

Below we’ve outlined some quick tips for compliance. We recommend that organisations ensure that have achieved compliance if they want to avoid the heavy fines that can result.

9 tips for GDPR compliance

1. Appoint a Data Protection Officer (DPO)

Somebody within the firm must hold the role of Data Protection Officer. They don’t have to be a full-time employee and they can be outsourced to a third party, but it’s mandatory that all organisations that process or store customer data have one under GDPR.

2. Know how you can use data

You will likely store personal client data on file and throughout different IT systems. Under GDPR it’s imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.

3. Make people aware

All key decision-makers and management within the firm should understand the full implications of GDPR. We’ve compiled the five most important details that CIOs need to know here and there is a wealth of information about GDPR on the official European Commission website.

4. Data on children

There’s a big focus on data held about children within GDPR. You need to know how you verify the ages of individuals and how you will get parent/guardian consent for the processing of childrens’ data.

5. Ensure your data processors are up to speed

It’s worth taking the time to assess every service provider and the individuals who process personal data for you. It’s important they fully understand the changes that have come along and that they are taking responsibility for them. Training would likely be beneficial and it’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and to deal with any required remedial action.

6. Understand your client’s rights

The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc.

The right to data portability is completely new so it’s worth taking another look at the clients’ rights then going over each of these before to ensure your policies and procedures are compliant.

Assessing how you delete data and how you present it on demand, i.e. what document format are also worth considering.

7. Review consent and fair processing policies

The GDPR goes beyond legacy requirements around information that must be provided to data subjects when requesting consent to process personal data.  The processes and protection already in place are no longer applicable under GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how you will use the data, don’t make any assumptions. Silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.

8. Prepare for a data breach

Even with GDPR in full swing, many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm needs to know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a bad situation even worse.

9. Use technology for automation

Many firms will typically have systems in place to assist in performing compliance and risk checks and the same or a similar system can be used to ensure GDPR compliance. It’s worthwhile speaking to the vendors you’re using about how they can assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. After all, the more you can automate, the less risk there is for something to drop through the net.