Chamber member Gilson Gray share another one of their informative GDPR blogs with members:
Is your business prepared for the upcoming General Data Protection Regulation (GDPR)?
Time is running out – the GDPR will come into force on the 25th of May 2018, don’t get caught out!
Here are twelve (12) steps to help your business prepare:
It is essential that you document all personal data that you collect and process in a format
that can be audited and regularly reviewed. This would include specifying what types of
personal data you collect, how you collect that information, how you obtain consent, where
that data is stored, how is it secured, and how long do you retain the information for before
Review your current privacy policies, fair processing notices, consent notices, and
contractual terms now and implement any necessary changes to bring the documentation in
line with the new transparency, reporting, and auditing requirements.
Raise awareness in your business about GDPR and ensure that all decision makers are
involved in GDPR and made aware that the law is changing. GDPR is not an IT only issue, it
affects all aspects of a business including physical security.
4. Legal Basis for Processing Personal Data
Your business must be able to demonstrate the legal basis for collecting and processing
personal data which would include keeping an auditable record of why you need personal
data, how you intend to use it, and how long it will be retained for.
Is your business correctly obtaining consent? Consent cannot be implied under the GDPR it
must be explicit, clear, freely given, requiring a positive opt-in, specific, granular, and kept
separate from your other terms and conditions.
6. Subject Access Requests
Evaluate your current procedures for complying with Subject Access Requests and ensure
you have a system in place to trace personal data and to respond within the new time limits.
7. Individual Rights
Evaluate your policies and procedures to ensure that they respect the rights of individuals,
including having the necessary technical and organisation means to respond to Subject
Access Requests and Erasure Requests (the Right to be Forgotten).
8. Data Breaches
Ensure that your business has the necessary measures in place to detect, investigate, and
report data breaches. Depending on the type of breach you may also be required to report
the breach within 72 hours to the Information Commissioners Office.
9. Privacy by Design and Privacy Impact Assessments
Businesses must have systems in place to assess how they process personal data and
undertake privacy impact assessments to demonstrate how they intend to protect personal
data from breaches.
If your business collects any information on children then you will need to implement
systems to verify individuals’ ages, gather parental or guardian consent, and ensure that
your privacy policies can be read and understood by children.
11. Data Protection Officers
If your business processes large quantities of personal data or sensitive personal data then
you may be required to appoint a Data Protection Officer who will be accountable for your
businesses data protection compliance.
12. International Transfers of Personal Data
If your business transfers personal data outside of the European Economic Area then you
will need to obtain consent from individuals to those transfers taking place.
To find our more or to speak to a member of our Data Protection Team, please visit
www.gilsongray.co.uk or call us on 0141 530 2022.