GDPR & Data Protection Act 2018 – Are you compliant?
On 25th May 2018, the E.U. General Data Protection Regulation (GDPR) came into force, alongside the new U.K. Data Protection Act (2018).
Whether you are trading with the E.U., sharing data to other countries (such as the USA), or even if you’re a small business – the backbone of our economy – you need to be compliant. Now.
Please read on so we highlight some of the important changes with which all businesses are having to coming to grip.
The new regulations concerning privacy represent the biggest changes to running a business or organisation in a generation. We see many of the changes in data protection law as a positive step forward, as they increase your existing rights to data privacy and security, as well as improving the protection of your personal information.
You may be surprised to read the next sentence, bearing in mind the ‘noise’: contrary to what many commentators have been saying, compliance does not have to be overly complex. There are a handful of steps which are common to most organisations, and they form a logical process.
- Assess, analyse and prioritise the risks
The first step to complying with the GDPR is to detail and assess the risks to your organisation and to the rights of the individual. This can be achieved in a variety of ways, including a readiness survey, GAP analysis, preparing a process register and then a risk register. It may be useful to present the risks in an organisational risk heat map, to focus understanding, effort and budget. In that way, the highest risks are allocated the greatest proportion of your time and resource. Preparing a process register is one of the most critical parts of these exercises. In order to fix a problem, you must first understand what is broken.
- Create your policies, procedures and agreements
Once you understand the issues, you can implement appropriate policies and procedures. The following list forms a standard requirement, although your organisation may not require all items.
(a) PIMS (Personal Information Management System) – your PIMS is a template for you to develop and integrate with your existing policies. It is your “master control”, a live document unique to your organisation and, like your Process Register, will require your continual attention and adjustment.
(b) Process Register
(c) Organisational Privacy Risk Register
(d) Readiness Assessment and GAP Analysis
(f) Data Protection Policy Statement
(g) Privacy and Cookie Notice
(h) Privacy Procedure
(i) Training Policy
(j) Subject Access Request Procedure
(k) Records Management Policy
(l) Information Security Policy
(m) Data Protection Privacy Impact Assessment (DPIA) Procedure
(n) Consent and Consent Withdrawal Procedure
(o) Data Breach Procedure
(p) Complaints Procedure
(q) Data Sharing Policy
(r) Third Party Service Provider Agreement for Data Processing
- Develop workable processes to plan for continual maintenance and improvement
Once your policies and agreements are in place, you can then develop the process controls to keep these up to date and relevant. Complying with the GDPR is far more than a paper exercise. Real changes must be demonstrated and provable in the very cultural fabric of your organisation. It’s not just documents, but about being able to prove compliance.
If you would like any further information and advice on complying with the GDPR and the Data Protection Act, please contact our team of experts headed by Humperdinck Jackman. Call us on 01895 811811 or email firstname.lastname@example.org. Humperdinck offers a no obligation one-hour meeting at our offices for FREE.
Humperdinck, who heads our privacy compliance team, has more than 20-years of experience in the field, and currently serves as the Data Protection Officer (DPO) for a major School’s Trust, as well as for a global children’s charity and two software corporations.