Paula Tighe is a qualified data protection professional and leads the trusted advisor information governance service. Experienced in working with small, medium and large private and public bodies, Paula advises on a range of data protection issues, including training design and delivery, marketing, housing, project management and ICT security.
It is important for all businesses to understand the obligations that come with GDPR, and start designing a comprehensive plan that will help push through the necessary changes when the time comes.
Raise awareness and register it
Recording the process of meeting regulatory requirements is a good starting point, as this can help protect you from incurring penalties for non-compliance.
Introducing a ‘data register’ which details what personal data you currently hold, and the reasons for processing it, is one of the most important changes – it should also show where the data originated from.
Compliance is about improving current standards – asking questions about why you have certain data, and making sure individual’s rights are not breached.
You should also review existing privacy notices and make sure these are clear and concise – communicating these to individuals in a comprehensive and succinct manner; in a way they can understand.
Rights of the individual
GDPR will give individuals increased control over their personal data, which includes the right to have their data erased from a system. It is therefore important that businesses introduce new processes to ensure such requests are completed efficiently. Having transparent procedures in place will help mitigate any potential future problems with the regulator, however, if you already handle data carefully under current laws, the new GDPR should not be too much of a concern.
Never assume consent
Obtaining and handling consent for using personal data can be tricky. You must obtain clear consent from an individual before using their personal data, and must also get new consent if data is used for a different reason than first agreed.
Keep reviewing and keep recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA). These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen, and should form part of your ongoing processes. Ensure you have a robust process for making the assessments and then record it, along with the outcome.
Make someone responsible and keep it up
If your business handles data on a large scale, it may be worth employing the help of a dedicated data protection officer, who can ensure processes are in place that adhere to the regulation.
You must also consider written records, which are also covered by the regulations – ensure all your staff are trained on the correct handling of personal data.
Remember, it is important to record all steps within your ‘data register’ and, if you are an SME, it will pay to introduce as many new procedures and policies as possible before May to show a willingness to comply with these regulations.