With less than a year to go before the GDPR becomes enforceable, all businesses, if they haven’t done so already, need to start taking the GDPR seriously.
The increased levels of potential fines have hit the headlines, but the GDPR is about much more than that. It’s about bringing data protection to the forefront of a business’ structure and culture – not an afterthought. It is, in the words of the GDPR: privacy by design and default.
Many of the fundamental principles of the GDPR are much the same as under the current legislation, but businesses now need to demonstrate the processes they go through, and the justification for how those decisions were made. Compliance is showing ongoing awareness and accountability – not just box ticking.
There are a number of steps that you should undertake in order to get ready for GDPR, and these should be regularly repeated to stay and demonstrate compliance. For example:
- Ensure that the key people in your business are aware of the changes under the GDPR and the impact that this may have on your business processes and practices.
- Take time to conduct an internal data security audit. Understand what personal data is being processed, why it is being processed and how is it being captured and stored.
- Consider whether your processing is lawful. Identify the legal basis for processing the personal data and make sure you document your justification. If you are relying on consent check whether the consent satisfies the standard required under the GDPR? Is it freely given, specific, informed and unambiguous? Silence or failing to untick a box will not be satisfactory evidence of consent anymore (if it ever was). If your legal basis is no longer sufficient, you should start putting revised processes and fair processing notices in place as soon as possible.
- Review your internal processes. Ensure you are familiar with the rights of data subjects and understand what the business must do if the rights are exercised. Check you have procedures in place to detect, investigate, and report breaches.
- Review your data retention policy and erasure process. Is retention of the personal data really necessary? What is your justification for continuing to hold the personal data and is it being regularly reviewed? Keep a record of your reasoning and keep the process under review.
- Review how secure the personal data that you are holding is. Do you have adequate technological processes and protection? Is your organisation able to ensure security of the personal data appropriate to the risk? How sensitive is the data – does it need greater protective measures?
- Review your staff training. Are the people that come into contact with personal data aware of their responsibilities? Do your staff know who to report to if there is a data protection breach? Consider whether your company is required to appoint a Data Protection Officer, or whether one should be appointed in any event.
- Review your third-party contracts. You have direct responsibility to ensure that people processing on your behalf comply with the GDPR. Check whether your contracts impose adequate obligations on processors. If you are a processor – recognise that you also have duties to ensure compliance.
When reviewing the above, bear in mind that failure to comply could now give rise to a maximum fine of 4% of your annual global turnover or €20,000,000 (whichever is the greater).
A systematic and organised approach will help you achieve compliance. Remember, the GDPR focuses on transparency and accountability. Think: Do you have a reason for doing what you’re doing the way you’re doing it, and is that lawful? Keep a record to show your process and reasoning, and keep it under review.