Organisations around the world will soon be breathing a collective sigh of relief as the impending GDPR deadline finally comes into force.
After all the planning and preparations that have taken place over the last two years, the GDPR will officially come into effect on the 25th May and completely overhaul the current data protection rules, giving EU citizens a greater control over their data.
There has been a lot of last minute scrambling as businesses rush to ensure they are compliant with the new regulation and not liable for the large fines that will be imposed as a result of non-compliance. There will be a number of organisations that have taken the time to methodically work through their GDPR planning, and others that have left it all to the last minute.
No matter what stage you are at in your GDPR journey, our final checklist will provide you with some guidelines on what you need to do to make sure you are ready for the impending changes and steps you need to take to demonstrate compliance going forward.
1. Identify all the Personal Data you hold
The EU defines ‘Personal Data’ as any information that can be used to directly or indirectly identify an individual (data subject). This will include everything from a name, email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.
If your organisation handles data for European citizens, you will need to complete an audit and find out:
2. Educate Your Personal Data Handlers
A Personal Data Handler is anyone within your organisation that is authorised to handle and process personal data. Responsibilities are often assigned on a departmental basis. Ideally, each line of business will have a Data Privacy Champion, someone that will understand personal data handling, processing and privacy practices. Appointing a personal data handler will help facilitate compliance within your organisation.
3. Understand Data Subject Consent
The GDPR specifies that there must be explicit consent by the user. This consent must be recorded for reporting and auditing processes. Where processing is based on a data subject’s consent, they can withdraw this consent at any time. They also have the right to know how long their personal data will be retained for future processing. If your organisation processes data of underage subjects, you need to make sure you have the adequate systems in place to verify individual ages and gain consent from guardians.
Data subjects should be provided with notifications that are clear and easy to understand. They should also have the right to know what safeguards are in place to protect their personal data and whether any third parties are involved in the processing of their data.
4. Update Procedures for Data Subject Request Handling
Organisations must have processes in place for accommodating data subject requests. Data subjects must be allowed to exercise their rights free of charge and organisations must comply within one month of receiving the request, or with a maximum two-month extension depending on the complexity and number of requests.
5. Plan for Privacy Breach Identification and Response
Once organisations are aware that a privacy breach is in process, the immediate concern is to stop the breach from continuing. The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection.
If the breach results in a high risk of affecting an individual’s rights and freedoms, then the individual must be notified with immediate effect.
Companies should have an incident response plan in place outlining how incidents will be identified, who will be engaged, how the threat will be contained and eradicated, and how the business will document and report on the breach.
6. Evidence Understanding of Data Protection
Organisations need to prove that staff have both read and understood GDPR Policies. Being able to provide this evidence puts organisations in a strong position to demonstrate that ‘Privacy’ has become an integral part of their day to day business. eLearning is one of the best ways to ensure that staff fully understand GDPR policy.
An eLearning programme will not only ensure effectiveness of the learning experience, but it will also enable organisations to demonstrate that policies have been properly distributed in a meaningful and measurable way.
7. Report Ongoing Compliance Efforts
The GDPR requires that organisations evaluate the effectiveness of personal data related operational practices. Carrying out regular evaluations of compliance efforts and having a reporting structure in place will enable businesses to evidence accountability to senior management, stakeholders and supervisory authorities should the need arise. The effectiveness of an ongoing compliance programme requires tracking measurable metrics and adjusting processes when inconsistencies are identified.
8. Conduct a Cyber Security Review
Cyber-crime is continuing to evolve and grow at a rapid rate and presents a real danger to organisations across the world. Organisations need to assess how secure their network is, how easy it could be breached, is data encrypted and are staff trained to recognise the risks.
The majority of all data breaches begin with a simple phishing email, so it is vital that organisations invest in training their employees to identify and respond appropriately to these threats.
The imminent GDPR deadline is by no means an end point to compliance. The GDPR will continue to evolve over time and organisations will need to constantly update their processes and systems to comply with the regulation.
If you would like more information on how your organisation can improve its approach to GDPR compliance, click here, to find out how MetaCompliance can help.
DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.