It's Not Too Late to Take GDPR Action - 5 Easy Steps To Get Started
It’s never too late to take action on GDPR. As recently as March 2018, just 5% of EU companies believed they were compliant with all of the requirements. It is essential that firms work towards achieving compliance before the implementation date – now just 17 days away. The new Regulation is wide-ranging, and can seem overwhelming at first glance, especially to small and medium sized businesses trying to meet current challenges without having to factor in GDPR on top. If you haven’t already, now is the time to begin addressing the requirements; non-compliance under GDPR is likely to be very different than under the existing DPA. Whilst the ICO will continue to oversee the application of the Regulation in the UK, potential fines of up to 4% of annual turnover mean that every business should consider what GDPR means for them. In this article, we offer a step-by-step guide to help firms on their compliance journey.
Step 1 – Review the rules
Before you can begin to review current practices and readiness for GDPR, it is important to be sure you know what you’re looking for. Some parts of the GDPR differ significantly from the current DPA, so it’s essential that anyone conducting a review or data inventory is equipped with the right knowledge. Read up on well-sourced articles from reputable experts, read through the GDPR Articles and Recitals themselves, or download our Full GDPR All Stars Education Series, which presents informed summaries of the main issues that firms need to consider.
Step 2 – Data inventory
The second step is to consider what data you have, where it came from, and how and why you use it. Depending on the type of firm you have, and the type of business you conduct, you will need to know whether you are considered a ‘data controller’ or a ‘data processor’, and your obligations under either or each of those classifications. You’ll need to fully consider the types of data subjects for which you hold information as well, whether customer, supplier, employee, third party and next of kin. Firms need to be sure that they are allowed to process the data they hold, and must satisfy at least one of the lawful conditions for processing data. For smaller organisations, completing this step should be relatively straightforward. For firms that process more complex data sets, data about children or vulnerable individuals or other special categories of data, such as health, it is recommended that they seek advice from an expert.
Step 3 – Process review
Existing procedures and processes will need to be examined and amended. Using the information gathered in Step 2, the next stage is to consider how and why you process the data you do, and whether the systems, processes and procedures are adequate. You will need to consider how to update your current Data Protection Policy, and a Data Protection Impact Assessment policy and procedure; whether you have one currently that needs updating, you’ll need to give some thought to DPIAs under the GDPR. Firms will also need to consider the ‘eight rights’ – the extended rights provided to data subjects. These will need to be factored into any Data Protection Policy; for example, the right to rectify means that firms will have thirty days to correct any incorrect data, ensure that processors do the same, and respond to the data subject. It’s vital that the rights are covered in the policy and that suitable processes are built to enable staff to respond to requests in line with the law.
Step 4 – Building documentation and ensuring communications are compliant
As well as policies and procedures, firms will need to ensure that their communications with data subjects are reviewed and updated, and in some cases, implement new documentation from scratch. Privacy Notices will need to be thoroughly reviewed and amended; the right to be informed means that the data controller is obliged to provide the data subject with a notice informing them how their data will be processed, of their rights, the retention period for their data, and how to complain, among other things.
Information provided on websites and in all marketing communication should be reviewed and amended – with particular attention on how consent is gathered. It is no longer enough to offer an ‘opt-out’ option, firms can only gather consented information with an affirmative opt-in.
Step 5 – Roll out and ongoing training
Once reviews have been completed, and documentation has been drawn up and put into place, it’s vital that new processes and procedures are communicated to staff. Staff who will have responsibility for undertaking particular activities, such as ensuring subjects receive a privacy notice, or processing requests for rectification or the right to access, will need to know how the new rules affect their roles, but it’s a good idea that all staff are made aware of the overview of changes. In addition, it’s worth remembering that if any current staff training includes information on DPA, it will need to be amended to cover GDPR.
Our Full GDPR All Stars Education Series and our GDPR Preparation Pack offer a concise, informative aid to help medium and smaller firms on their journey to compliance.