Practical steps to get ready for GDPR

The way in which businesses and governments store and make use of your personal information is about to change. At present, this is regulated by the Data Protection Act 1998, but it is clear to all that a piece of legislation implemented 20 years ago will no longer be fit-for-purpose, considering the vast developments in how we communicate and interact as a society.

On the 25 May 2018 this Act will be replaced by a new piece of legislation called the General Data Protection Regulation (GDPR). This Europe wide data protection instrument will bring about a number of changes in how personal data is handled and will require many businesses to make changes to their processes and procedures to ensure compliance with the new law. Key practical steps for your business will include the following:

Assign a Data Protection Officer (DPO)

Depending on the size of your business / organisation, a designated DPO will need to be appointed, to be responsible for monitoring compliance (and liability) for GDPR

Educate

Any member of your team who handles personal data will need specific GDPR training. Within the software sector, for example, this might be someone who manages communications with new users, performs data entry or looks after the company CRM system. Customer communications and social media teams will also be heavily involved in this process

Data breaches

Companies will have to report breaches within 72 hours to the supervisory authority and describe in detail the possible consequences of the breach and how they will mitigate its negative effects

Audit

You must audit and maintain where personal data is stored within your organisation and with whom it is shared. For large businesses operating across multiple sectors, this is obviously a huge undertaking, with many companies now investing in Security Information and Event Management (SIEM) tools to make this process more efficient

Update

Companies must update policies and privacy notices to reflect the newly revised rights of individuals and to comply with GDPR’s requirement for simple and concise privacy language across the board

Consent

For those organisations who need to seek customer / user consent for processing personal data, the ways in which your company seeks, records and manages consent may no longer be legally compliant and must be reviewed for GDPR implementation

Children

GDPR brings in special protection for children aged under 16 and requires companies to have robust strategies and systems for verifying age and / or ensuring guardian consent