Here’s where to start.
The GDPR deadline is approaching fast, May 25th 2018 is getting harder and harder to ignore. If you have only recently found out about the GDPR, or if preparation has been sitting on the bottom of your to-do list for too long; there are certain things you need to begin now to comply in time. But don’t panic! Purple recommends these 10 activities to kickstart your journey to compliance before the hourglass runs out.
Research. The first step is simply understanding how the GDPR will affect your organisation. Review the ICO GDPR quick fact sheet that highlights the main things you need to consider, it applies to every individual and business from May. Ask questions. What kind of organisation are we? Which sectors do we operate in? What sort of data do we capture and where? A good source for this knowledge is the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Risk assessment of systems, processes and policies that process data. You need to understand where, how and why data moves through your organisation. A PDI (Personal Data Inventory) is a good way to aggregate this information into one document. Remember to include data from your suppliers/3rd parties. The PDI should include data that is considered sensitive as well as non-sensitive.
DPO. Certain organisations are obliged under GDPR to appoint a data protection officer, these include:
- Public authorities (except for courts acting in their judicial capacity)
- Organisations whose core activities require regular and systematic monitoring on a large scale
- Organisations whose core activities consist of large scale processing of special categories of data
A DPO’s role is to provide technical and compliance guidance for the entity, monitor the organisation’s approach to privacy by design, and coordinate with the relevant supervisory authorities. Be aware that you can still voluntarily appoint a DPO even if you are not obliged to by law but remember that once you appoint a DPO this can’t be revoked. If you have decided you require a DPO, it’s important to appoint one fast as with the deadline approaching, they are in high demand!
Prioritise risks with regards to your data processing. Data protection impact assessments (DPIAs) will enable you to understand these risks. A DPIA should describe the “how” and “why” of a process, assess its necessity, the risks it poses to individuals & most importantly what measures can be implemented to mitigate these risks. When creating DPIAs you should absolutely prioritise sensitive data, especially if you are running on a tight schedule.
Third parties. Understand your third parties as a priority. Work out who is data processer and who is a data controller.
Be prepared to receive (if you haven’t already) questionnaires from third parties that you will need to respond back to. Third party identification is all about you having done sufficient due diligence on the organisations you share data with in order to hold yourself harmless from any future breach.
Create a plan. To be prepared on May 25th, you need to start thinking ahead. Develop a plan of action that starts now so you can allocate the time necessary to tackle these tasks. Consider GDPR readiness a new or ongoing project that may need to be handled by a group of employees within your organisation rather than an individual. Decide your actions and delegate responsibilities ASAP, these tasks could interfere with your current business schedule so don’t delay in working it out.
Tools and solutions are available to aid you, and most come with a low-price tag, if any. A good piece of data handling software might be your first step, especially if you have less time/resources to analyse it yourself. The ICO is there to assist and if you are a small business, then make use of the helpline that is available.
Minimise data. This is an essential tip for surviving the GDPR, arguably the most important part of becoming compliant is to trim the data fat from your organisation. Less data means less potential problems. Once you have created a personal data inventory & risk audit; consider how much of the data that you capture/process is really necessary. If you can sensibly delete or erase certain types of data or groups of data then it is in your best interest to do so.
Implement changes before the date. You will probably discover during your readiness project that there are policies that need changing, new contracts that need signing, and 3rd party relationships that have changed entirely. It’s important to make sure that everyone in your organisation is aware of the changes & educated in terms of data protection. If you are discovered to be non-compliant after the deadline, being able to prove that you are implementing changes will be looked on more favourably than ignoring it altogether.
Educate staff. To reiterate, making staff aware of the GDPR and their responsibilities will create a company-wide awareness of the regulation that will reduce the chance of data being mishandled. Support your staff with training where necessary. Make sure to also broadcast your GDPR efforts to your user community, making them aware shows that your company is conscientious regarding the law and their privacy.
Purple provides expertise in GDPR and has developed a GDPR readiness assessment supported by a portfolio of services to help organisations ensure they are compliant through practical but effective responses to the key tenets of the new regulation. Purple’s position on GDPR is that every organisation should embrace this as a positive move, rather than looking at the investment required to be compliant, use this as a good PR exercise to demonstrate to your customers and staff that you take their data privacy seriously.