Part 3 of 3
OK, so enough of the scaremongering. What can you actually do to make sure you are compliant with the GDPR requirements?
Firstly, you need to make sure that you understand the legislation that is being introduced (hopefully our posts have helped start that process) as well as the legal implications for not being compliant. A compliance audit against your business is therefore essential – mapping out what data you hold, where it is held, how it was acquired, and determining whether or not it is secure.
Many organisations should actually be fairly well prepared for the GDPR, as they should be complying with the terms of the existing Data Protection Act, as Steve Wood, Deputy Commissioner (Policy), outlined in his blog for the ICO.
“If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR. Our GDPR overview and 12 steps to take now documents explain where there is continuity, what’s new and how to plan. Many of the principles reinforce tasks businesses will already to undertake in relation to record keeping – e.g. the principle on data minimisation.”
Complying with the General Data Protection Regulation
To enhance this governance and to make sure your organisation can comply with the GDPR, it is recommended that a data protection officer (DPO) is hired or installed – someone with a legal and technology background so they understand both the regulatory framework and the technical specifications needed to meet it.
Article 37(5) of the regulation details what is in effect a mini job description for the role: “The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
The data protection officer will help you clarify your position and help you demonstrate your compliance. To achieve this you need to:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities – a data register.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Pseudonymisation;
- Transparency;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
If you are really unsure of the position of your organisation, a great place to start is by using our GDPR Compliance Checklist and Workbook (see below) or the ICO’s online Data Protection Self Assessment Toolkit, both of which will help you assess your compliance with the current Data Protection Act as well as help you prepare for the GDPR.
“Any regulation has some sort of impact on an organisation’s resources. That’s unavoidable and GDPR is no different to any other new legislation in that respect. But thinking about burden indicates the wrong mindset to preparing for GDPR compliance,” said Steve Wood, Deputy Commissioner (Policy), ICO. “What must be recognised is that GDPR is an evolution in data protection, not a total revolution. It demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals. GDPR is building on foundations already in place for the last 20 years.”
The Positives and Opportunities of GDPR
Although the new regulation is going to have a massive impact on resources for every organisation as well as a rethink on the way that they handle data, the companies that get it right and are seen to be proactive can reap the benefits.
In this digital age, trust is paramount. Showing customers and employees that you are protecting their personal data and are transparent with the way that you are using that information will only enhance reputation and help establish new customer relationships, as Brian Hills, Head of Data at The Data Lab, clearly indicates in his blog post:
“Earning, building and retaining customer trust will be key driver of business growth. New start-ups will disrupt incumbents and privacy by design will drive competitive advantage. As Forrester highlights ‘Privacy is a game changer it will be to organisations in 2016 what websites were to companies in 2000’.”
Organisations need to carry out a GDPR assessment and understand how personal data is linked, which departments use the data and how they use it. This need to map data and have a clear view of what the company holds means that companies need to make sure their systems and data are integrated and the data is easily accessible from a central repository such as a web portal.
As a result of integration, organisations will be able to break down data silos which can help them with decision making. The information can also be exploited for efficiency gains, exploring new products and services and generally improving customer service.
Download and use our GDPR Compliance Checklist and Workbook to carry out a self assessment of the data that you hold to determine what you need to put into action in order to comply with the new GDPR requirement.