As the saying goes, “If you think compliance is expensive, try non-compliance”. To try and help your organisation become GDPR compliant as easily and efficiently as possible, here are five best practice tips to follow ahead of the 25th May 2018 deadline.
1. Understand the language of GDPR
If you understand the main definitions of the current Data Protection Act (DPA), you have a head start understanding GDPR. “Personal data”, “sensitive personal data”, “data controller” and “data processor” remain the same under GDPR.
Make yourself aware, however, of some caveats. For example, processors now have a long string of new legal obligations. “Sensitive data” now includes genetic and biometric data but excludes criminal convictions.
2. Record your grounds for processing and check for valid consent where required
Make sure you correctly assess and record your legal reason for data holding or processing. In most cases this will be “legitimate business interest”, which must be balanced against the rights of the individual (or “data subject”). And make sure you have valid, “affirmative consent” where required (for example for marketing outreach) – a pre-ticked box is no longer good enough.
3. Assess risks with a DPIA
Under the GDPR, organisations must adopt a risk-based approach to data processing. This means conducting a Data Protection Impact Assessment (DPIA) on any new technologies or processes. Where a high-risk element is noted, you must report this to the ICO.
4. Review your breach management procedure
If you are processing data in the EU and a breach occurs that could damage your data subjects, you are legally obliged to notify the ICO. But not all breaches need to be reported. Make sure you know what, when and how to notify the ICO and your data subjects.
5. Understand the rights of your data subjects
Individuals’ rights are expanded under the GDPR, to give them increased privacy and protection. With this come more requirements from organisations to make sure people know what data you’re collecting on them and what you plan to do with it. You’ll also need to be able to respond to requests for information as well as record deletion, where appropriate.
For help preparing your organisation for GDPR, check out Me Learning’s online courses, developed alongside industry experts. Courses range across sector and job role, at various levels. For more information click here.