Features - Business

Building a plan in time for GDPR’s arrival

With the General Data Protection Regulation (GDPR) just around the corner, businesses must begin preparing for changes early to avoid any punishment for non-compliance, according to Paula Tighe, Information Governance Director at leading law firm Wright Hassall:

“It is crucial that organisations take the time to fully comprehend the new regulation, and the legal obligations that come with it. Companies must achieve compliance by the time it arrives in May – failure to do so could result in serious, costly legal action.

“If your data is used, processed or recorded within the EU, you must comply with GDPR – the UK’s decision to leave the EU has no bearing on this ruling.”

Raise awareness and register it

Firstly, recording the compliance process is a very effective way of protecting your organisation from claims that you made no effort to meet the regulation.

Also known as the ‘Data Register’, this record will show all the data you currently hold, your reason for processing it and how it will be used. GDPR requires that effective procedures and processes are in place to allow individuals easier access to their personal data.

Compliance aims to improve standards by asking why you currently do what you do – it does not aim to obstruct or prevent you from doing things. Make sure you review how you search for, capture and record personal data – improving the effectiveness of processes where possible.

Also review your existing digital and hard copy format privacy notices and policies; are they concise, written in clear language, easy to understand and easily found?

It is important that you can clearly communicate these notices and policies with individuals – explaining how their data will be used, and showing them how they can lodge a formal complaint to the Information Commissioner’s Office if they are dissatisfied.

Rights of the individual

After the arrival of GDPR, individuals will enjoy greater control over their personal data, which includes the right to request it is edited or deleted at any time. Therefore, it is your responsibility to ensure the appropriate procedures are in place to deal efficiently with any such request.

Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.

Adopting transparent procedures is one of the most effective ways to protect your organisation, and it will mitigate any future problems with the regulator. If your company already handles data carefully under current laws, then the switch to GDPR should not be a cause for concern.

You must comply within a month when an individual makes a subject access request, to see what information you have about them. If you think the request has no merit, you can refuse, but you must tell them why and how they can complain to the regulator.

Never assume consent

Handling consent for the capture and use of personal data for more than just contact, is a tricky area. You must obtain clear consent from the individual before using their personal data, and secure separate consent if you plan to use the data differently than first agreed.

How you attempt to obtain or confirm consent, will help mitigate any future problems at the hands of the regulator.

Keep reviewing and keep recording

Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA).

These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.

Make someone responsible and keep it up

If your organisation deals with personal data on a large scale, then it may be worth considering the recruitment of a dedicated Data Protection Officer, who can oversee procedures and ensure your organisation achieves compliance in time for GDPR’s arrival.

It’s not just electronically-held data that can pose a problem; you also need to consider written records, which are also covered by the regulations – ensure all your staff are trained on the correct handling of personal data.

Record how you handle each step of the process in your Data Register. In the event of a complaint or a data breach, it will be those organisations unable to demonstrate what they did to assess risk and mitigate it that will suffer.

Organisations that can prove they have made an effort to comply, even if they are not fully compliant with every aspect of the GDPR from the word go, will do better.



If you would like to read more articles like this then please click here.