Laying down your plans for GDPR

Paula Tighe argues businesses must start preparing for the general data protection regulation (GDPR) coming into effect next May.

GDPR isn’t something that can be planned for within a couple of weeks; it requires serious consideration from companies, who must start pushing through necessary changes now if they are to have everything sorted in time.

If your data has been obtained, processed or used within the EU, you must still comply with GDPR – the UK’s decision to leave the EU has no bearing on the regulations.

Raise awareness and register it
The first step for businesses is to begin recording the compliance process, including taking note of all significant changes to procedures and processes.

Also known as the ‘data register’, this record will help you protect yourself against claims, as it details all the personal data you currently hold, as well as your reasons for processing it. The register will ultimately help you adhere to the new accountability requirements of GDPR.

Rather than preventing you from doing things, GDPR instead aims to improve standards by encouraging you to review existing procedures and make them more efficient where possible.

Take a closer look at your existing digital and hard copy format privacy notices and policies to ensure that they are concise, written in clear language, easy to understand and easily found.

Assess how you communicate these notices and policies with data subjects, ensuring you explain your reason for processing the data, how long it’s retained and how individuals can complain to the information commissioner’s office if they are not satisfied with how you’re handling their data.

Rights of the individual
GDPR will give individuals greater control over their personal data, therefore it is important you introduce procedures that can efficiently edit or erase information upon request.

Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.

Having transparent procedures will help mitigate many potential future problems with the regulator, regardless of complaints or investigations. If your organisation correctly handles personal data under the current data protection act, the change to GDPR should not be too much of a cause for concern.

If an individual makes a subject access request, you must comply within a month. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.

Never assume consent
Handling consent for the capture and use of personal data for more than just contact, is a tricky area. Individuals must give clear consent for their data to be used and be able to revoke consent at any time - if you want to use their data differently, you must obtain a new consent.

How you attempt to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator.

Keep reviewing and keep recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a privacy impact assessment (PIA) before beginning the project.

These assessments will help you and the regulator to decide the likely effects on the individual if their data is lost or stolen and this should form part of your ongoing processes.

Ensure you have a robust process for making the assessments and then record it, along with the outcome; a PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do.

Make someone responsible and keep it up
If your organisation deals with personal data on a regular basis, it could be worth appointing a dedicated data protection officer to oversee procedures, and ensure everything is running smoothly.

It does not have to be someone within your organisation – you might choose to appoint an appropriate individual on a part-time or consultancy basis.

It’s not just electronically-held data that can pose a problem; you also need to consider written records as these are also covered by the regulations - ensure all your staff are trained on the correct handling of personal data.

The most important thing to remember is to continue recording the transition process over to GDPR, as this well help protect your business should a claim ever be brought against you.

Organisations that can prove they have made an effort to comply - even if they are not fully compliant with every aspect of the GDPR from the offset - will do better than those that can’t.
Paula Tighe is information governance director, Wright Hassall