With under a month to go now before GDPR comes into force on 25th May 2018, we are busy helping clients with their compliance. GDPR requires us all to demonstrate our compliance rather than assuming it in the absence of any complaint or fines.
In order to demonstrate our compliance there are various actions that we can take:
- Undertake an audit – GDPR requires us to give our staff, customers and contacts much more information with regard to their data. We cannot do this unless we understand what data we hold, why, who sees it, where it is stored and how long we keep it for. An audit is the best way to get to grips with understanding our data.
- Prepare your Record of processing activities – GDPR requires all businesses to have a RPA. This is an internal summary document that sets out in broad terms, the processing activities that you undertake. It is a requirement for all businesses with over 250 employees or which process special categories of personal data. Remember that this includes medical data and so even small businesses may be caught if they have any employees with medical issues.
- Implement Privacy by Design measures – GDPR requires us to consider data minimisation at all times – what do we need to keep and what can we get rid of, how can we minimise the data that we hold?
- Conduct Impact assessments where necessary – where you are considering a change to your data processing activities, either by implementing a new system, or outsourcing a business function, you must carry out an impact assessment.
- Review and update current policies and procedures and ensure that they are put into practice – any policy created under the 1998 Act will need to be updated in line with GDPR obligations. We must give data subjects much more information that we ever have done – this will mean a review and update of your employee handbook, your privacy policy online, your data protection policy (now called Privacy Standards) and your terms and conditions.
- Review all data processing contracts to ensure that they are compliant going forward – GDPR introduces new liability for data processors and their contracts must be (i) in writing and (ii) be clear as to the precise scope and nature of the processing tasks that you are asking them to undertake.
- Train staff and engender a new culture which looks at data protection compliance as a part of our daily business life.
If you require more help with your GDPR compliance, please contact a member of our GDPR team: Laura Trapnell; Crispin Dick; Ryan Mitchell and Emily Sadler, or book to attend one of our training courses by following this link.