1. GET YOUR GDPR DOCUMENTS IN PLACE
An absolutely essential part of being GDPR compliant is having the right documents in place that show the ICO that you have taken the necessary steps to become GDPR compliant should an investigation or audit ever take place.
The right GDPR documents should typically include:
Data Protection Policy (internal document)
Data Retention Policy (internal document)
IT Security Policy (internal document)
Data Privacy Policy (to be issued to your data subjects, typically appearing on your website)
Terms of Website Use (available on your website)
Employees Privacy Notice (to be issued to employees)
Updates to employees’ contracts of employment
Data Processing Agreement (or amendments to existing contracts) where either your organisation or a third-party organisation providing their services to you may be classified as a Data Processor
Amendments to Data Controller agreements where typically both parties to a contract may share personal data
Data Protection Impact Assessments, where necessary
Correct language for obtaining consent
Communicating changes to your Privacy Policy to your data subjects, such as customers.
You may also need to have other documents and/or statements, depending on the nature of your particular business so it’s best to seek expert advice too so you can get it right for YOUR business. It is also very important to remember that compliance with all of your established policies and procedures is as important as having them in place and you will need to train your staff accordingly.
2. GET THE RIGHT PEOPLE TO CHAMPION YOUR GDPR COMPLIANCE
GDPR is an important piece of legislation and as you may know the breach of its provisions may cost up to 20 million Euro or up to 4% of a company’s worldwide turnover (whichever is the greater) not to mention potential negative publicity and damage to reputation so it is important to get it right and make sure that senior staff with an overview of the whole business are involved and that the right amount of time and resources are allocated.
3. ASSESS HOW YOUR ORGANISATION USES PERSONAL DATA Personal data is information that allows identifying an individual directly or indirectly, including their name, contact details, ID number, IP address, photographs and similar. It is important to take an assessment of what exact types of personal data are processed within your organisation and how they are collected, shared, stored, disclosed and are otherwise processed by your company.
You will also need to note reasons and the lawful basis for the processing of each of the categories of personal data by data subject so for example for your customers, employees, sub-contractors, suppliers, contractors, business contacts and any other type of data subject that is applicable to your business. You might find it useful to create a spreadsheet and even flowchart diagrams as a starting point and you will need all this information for your Data Protection Policy and other GDPR related documents.
4. GET YOUR RETENTION POLICY RIGHT
One of the GDPR principles is to not keep personal data for longer than necessary so you will need to establish how long you will keep different categories of data for and when you will need to dispose of it securely. Retention periods will vary by organisation.
5. SECURITY IS IMPORTANT
You must ensure that you have appropriate security measures in place in order to protect personal data, taking into account the resources of your organisation, as well as the nature of personal data itself and the potential harm that a security breach might cause. This is relevant to both paper and electronic documents with both physical and IT security measures being important. A security breach will need to be reported to the Information Commissioner’s Office (ICO) within 72 hours of its occurrence and there must be procedures in place within your organisation to make sure this happens on time, especially when third parties are involved.
It may all seem quite daunting but it is more important than ever to tackle your GDPR compliance. Now is the time for ACTION and remember LawBite is here to help!
To consult with the Lawbrief lawyer Alla, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843. To find out more please click here.
Journey further…
How LawBite works LawBite GDPR Rescue Package