Most of us operating in companies who process personal data are by now aware of the bombshell that is ‘GDPR’. This long-awaited data protection regulation will take effect in a mere twelve months on 25th May 2018. For many organisations, there is a big question over how best to begin a GDPR preparation campaign and what key areas to focus on. It can seem a daunting task considering the consequences of failing to meet the requirements are so severe: that is fines up to the value of €20 million or 4% of global annual turnover.
But fear not! We have created a quick guide containing the top five challenges facing many companies when starting a GDPR campaign, complete with advice on how best to overcome them.
1. Creating awareness of GDPR throughout the organisation
Our advice: Get key players on board and construct an awareness plan.
As the old saying goes: Fail to prepare, prepare to fail. Ensure that decision makers and key stakeholders in your organisation are aware that the law is changing and guarantee senior level buy in. It will be of great benefit to you to have an executive sponsor whose job it will be to champion the campaign and ensure it runs smoothly.
To kick start your GDPR project we also recommend you start by looking at your organisation’s risk register, if you have one. If not, it will be a handy tool to compile when beginning your GDPR journey.
Remember time is of the essence. Begin as soon as possible to avoid any last-minute panic and use the following year to raise awareness of the changes that are coming. Our GDPR eLearning courseis a great place to start when creating awareness amongst your employees.
2. Assessing current data processing methods and adjusting these to meet GDPR expectations
Our Advice: Start by identifying and noting what personal data you hold, where it came from and who you share it with. Also, document any compliance measures already in place.
We recommend conducting an information audit. For example, if you have inaccurate personal data and have shared this with another organisation, you will need to let the other organisation know so it can amend its own records. Therefore knowing what information you hold and for what purpose you are using it, is key. It is also important to track the changes you make to any data processing activities to achieve GDPR compliance. Doing so will help you to prove compliance with the GDPR’s accountability principle.
3. Appointing a Data Protection Officer
Our advice: Determine if the appointment of a DPO is a mandatory, or desirable, requirement for your organisation. Ideally, someone should be identified to take responsibility for data protection compliance considering that the risk of a breach under GDPR carries such a hefty fine.
Organisations who will need to appoint a DPO include public authorities and those whose activities involve the regular and systematic monitoring of data subjects on a large scale. It is important to ensure that someone in your organisation, or an external data protection advisor, takes full responsibility for your data protection compliance. Key qualities needed for the role include having the knowledge, support and authority to manage data protection effectively.
It is also advisable to iron out a communication framework as soon as you have appointed your DPO. This should identify who will report to who and where this role will sit within your organisation’s structure to avoid any confusion.
4. Implementing new data processing methods
Our Advice: Document and implement new compliance policies and procedures and train your data processing team in accordance with these new measures. Review all existing contracts and consents and refresh these in accordance with the GDPR.
These must consider key changes including privacy information, enhanced individual rights and Subject Access Requests as well as consent.
Review your current privacy notices and create a plan for making any necessary changes in time for GDPR implementation.
Check your procedures to ensure they cover all the new enhanced rights individuals have under GDPR, including how you would erase personal data or provide data electronically and in a commonly used format.
Update your procedures and plan how you will handle subject access requests within the new one month timescale.
Review how you are seeking, obtaining and recording consent and whether you need to make any changes. Remember to document all changes made. Also, keep in mind that GDPR will also change how the personal data belonging to children will be processed. It’s advisable to start thinking now about what systems you can put in place to verify individuals’ ages and to gather parental or guardian consent for data processing activity.
5. Identifying and understanding how to deal with a data breach
Our Advice: Have in place clear data breach notification procedures that enable you to detect and report the breach within the new 72-hour timescale.
Create an internal data breach register to log and track investigation into any breaches that do occur. It is also important to assess which data you hold that will require notification if a breach was to occur.
Ensure that your partners and suppliers are clear on their responsibilities in providing you with notification of all potential and confirmed breaches on their end.
Still overwhelmed? Don’t panic! There is still time to get your GDPR programme under control. Why not arrange to talk with our industry experts and discover the advantages that our new product ‘MetaPrivacy’ will provide you with when preparing your organisation for GDPR compliance. We also have two GDPR eLearning courses available to educate our staff and aid your GDPR awareness campaign.