Firms should start now to get geared up for implementing the GDPR.
Conduct an Audit
A good place to start is with a formal GDPR impact assessment. An audit will enable your firm to identify and document all the personal data it holds, where the data came from and who it’s shared with. Don’t forget to look for copies of documents containing personal information that could be held by vendors and subcontractors. An audit is an excellent opportunity to review existing processes for the collection, storage and tracking data and then making necessary adjustments.
Have Procedures and Policies
An audit is also a good time to review and update data protection policies and procedures. It’s important for firms to develop a culture of monitoring, reviewing and assessing its data processing procedures. Ideally the aim should be to minimise data processing and the retention of data. Staff should be trained to understand their obligations under the GDPR.
Privacy and Consent
Privacy should be embedded into any new processing developed by your firm (privacy by design).
Check whether the type(s) of profiling your firm conducts need explicit consent. If it does then review how consent is obtained and recorded. It should be freely given, specific, informed and unambiguous. It cannot be inferred.
As firms bear the burden of proof it’s vital to test and optimise data collection statements and ensure that your database can store proof of consent and multiple permissions.
|Consent is one of a number of ways of legitimising processing activity and since it can be withdrawn it may be better to be able to demonstrate that you have a legitimate interest in processing a subject’s data – an interest that is not overridden by the interests of the data subject. Of course firms must have a legal basis for collecting and using personal data for example employment, the prevention of bribery.The GDPR requires that information provided to data subjects is written in clear, plain language. Access, rectification, deletion and transfer rights need to be explained. Privacy notices should meet the “transparency” challenge.
Your procedures should address all the rights given to individuals: having inaccuracies corrected; deleting information and preventing direct marketing without consent. Make sure you know who is making decisions about deletion and if your systems support this. Don’t forget to explore data portability and the formats you use to supply information.
Gear up for Access Requests
Be prepared for data subjects to exercise their rights under the GDPR such as the right to data portability and the right to erasure.
Procedures for Data Breaches
Currently, not all organisations are required to notify the ICO when a breach happens. The new regulations require everyone to do this. Prepare for data security breaches. Establish clear procedures to rapidly detect, report and investigate any breaches.
Begin preparations NOW – don’t wait for GDPR to come into force.
Alchemy Systems have 20 years of IT systems experience and are a Microsoft Partner. Alchemy Systems Designs, Supplies, Installs, Supports and Protects clients’ IT systems. Our staff are experienced in the specific needs and challenges of compliance and audit with local a service centre offering strategy and protection services.