Here’s our simple guide to what you need to do to sleep safe and sound at night with GDPR just around the corner…
With just a few weeks to go until GDPR becomes reality, scaremongering is reaching new heights. Given that the penalties for non-compliance can be hefty, along with damage to organisational reputation, this is not surprising.
It’s not just about your internal organisation…what about the controls and processes from your supply chain?
Here at BIAS, we like to make the complicated simpler. We like lists too, so here’s one to help you get shipshape…
1. Audit
Ensure your own house is in order! What data do you hold? Where is it? Are you sure that’s everything? Where did you get it from? Who can access it? What 3rd party suppliers hold your customers data? Questions questions questions. Pretend you are 5 years old again and ask away…it’s important.
2. DPO
Not the old GPO (General Post Office), this is an appointment you will need to make, a Data Protection Officer. A grand title for an important position. This person will be your GDPR figurehead, responsible for data collection, procedures etc, make sure you have one!
3. Privacy Policy
This should be a simple update to your existing policy, providing you have one.. or a creation of something new. There are plenty of examples online.
GDPR states that individuals must know what you are doing with their data, so tell them. They need to know you have a lawful basis for collection, and that if they feel the personal information is being treated inappropriately, they can complain and seek redress.
4. Processes
Time to ensure you understand your data lineage. Map it out, and ensure it is updated to reflect any changes. Also, what happens if someone requests their data, or asks for deletion? Be prepared.
5. Breaches
Whatever the breach, it needs reporting, and within 72 hours to the Information Commissioners Office (ICO), so you will need to either be eagle eyed or have processes and controls in place to ensure you are alerted and can pass this information on. Quickly. We propose the latter approach.
6. International processing
In today’s’ global economy, data processing takes place across borders. So, establishing who your data protection authority is so you can report to them is key. This is an EU directive which will remain in force post Brexit, and will usually relate to where your EU HQ is domiciled, although worth checking..
Feeling more reassured? If there is anything we can do, please get in touch, we are always happy to help.
