Steps to Prepare for GDPR
European Union has come up with new regulations – General Data Protection Regulation (GDPR) that were aimed at enabling the EU citizens to monitor and regulate the way third parties make use of their private information. They are coming into effect on May 25, 2018.
It is important to note that failure to comply with them will cost you up to 4% of your annual global turnover. Moreover, noncompliance with the rules will definitely stir public uproar, which will have a negative effect on your reputation. So, it’s vital to be ready and line everything up with the coming standards.
The biggest part of the principles of the upcoming regulations haven’t changed that much but the devil is known to be in the detail. They are the ones that may let you down if you pay little or no attention at all. Here is a list of the brand new points added to the law:
- 72 hours to notify the relevant parties of the violation of the data usage;
- Mandatory clearly expressed (both explicit and implicit) consent for personal data processing;
- Data Protection Officer (DPO) position (recommended);
- Minimization and pseudonymization of the information;
- Obligatory Data Protection Impact Assessments (DPIAs);
- The mandatory account of the data sources and processing & retention purposes/conditions;
- Extended definition of private information: pseudonymized data, online identifiers, device identifiers, cookie IDs, IP addresses, genetic and biometric data have been incorporated into the idea of sensitive data.
Key Steps to Be in Conformity with the Regulations
Here are the steps to consider to be proactive rather than reactive:
- Keep Everyone Informed
First off, be sure to have all the decision/policy-makers informed about the looming alterations in the GDPR fields relevant to them. Remember to check whether the companies possessing your data or processing it on your part know about the changes to come.
- Sort Out Personal Data
Do the inventory of the data you are storing: what info you have, why you have it, where you received it from, and who you are sharing it with. This complete data audit will help you stay in conformity with the law.
Look through your current policy and make the necessary changes to it. Ensure that individuals see the legitimate grounds for processing their data, retention periods and understand their rights like the ability to complain to the ICO if they see your actions as inappropriate.
You are obliged to
- Explicitly inform individuals of PD collection;
- Explain why and how this information is going to be used;
- State how the material will be stored and deleted.
- State the Rights of Individuals Clearly
If any of the company procedures disrespect some rights individuals are entitled to, take care to make some changes. All the rights should be distinctly conveyed to the individuals. See if you have a possibility to respond promptly if anyone asks you to delete their PD: who and how.
TIP 2: Keep Track of the Rights
People are entitled to
- Be informed of any changes/breaches;
- Have access to their personal data (PD);
- Make corrections to their information;
- Erase their PD;
- Withhold their consent for PD processing;
- Export their PD;
- Impose restriction on processing;
- Avoid being profiled.
Identify How to Deal With Subject Access Requests
Individuals have the right to get the information in a hard copy, which is known as ‘subject access request’.
- Have to promptly collect, structure and present this info within a month (not 40 days) upon receiving the following request.
- Provide most of the information free of charge. (A charge may be levied in case the request is too extensive).
- Have the right to turn down the request with the explanation why and where to address their complaint. (Be sure to do this within 30 days).
Tip 3: Avoid Request Jams
If you know that your company receives a lot of such requests, think of the feasibility of providing easy online access to this information.
- Identify & Prove Legitimate Grounds for Processing PD
Some criteria like consent provide you with a lawful basis to process the data entrusted to you. These bases are the ones that in turn determine what rights individuals have. You have to identify and put them in writing. Check out the ICO guidance on lawful basis here.
- Receive Consents
You should receive the consent from individuals for processing their data prior to using it. We recommend updating even the received ones to avoid potential violations. The guidelines issued by ICO provides a checklist to consider. The whole consent collecting procedure should be as transparent as possible. If you rely on the consent, make sure you accord with the regulations. Otherwise, just look for another lawful basis.
Tip 4: Make Consent As Clear As Possible
- Get rid of pre checkboxes
- Forget about agreement inferred from inactivity;
- Make it stand out;
- Make it easy to reverse the consent.
- Verify Users’ Age
Children’s rights will from now on be more secured. If consent is a factor you rely on, make sure to receive a verifiable agreement from parents or guardians to process their children’s data. This concerns the kids under 16 (in some cases under 13 in Great Britain).
- Optimize Security & Notification
Check your system for the ability to detect, investigate and inform the relevant parties about the breaches. Make sure you are able to do this within 72 hours. Both breaches and failure to notify them may result in fines. So, it is advisable to make a list of all the cases when ICO has to be notified.
- Appoint a DPO or Train Your Personnel
If your company has under 250 employees and you do not process the data like health/criminal records, you may have no need to hire a DPO. In this case, think of providing relevant training for the staff you already have.
- Expect Assessments
Such assessments will be conducted by the relevant parties if data processing may appear to be risky for individuals (deployment of new technologies, profiling, etc).
You shouldn’t think that ignorance will keep you away from penalties for non-compliance. That is why comb through your GDPR policy right now to future-proof your business and enable you to respond to breaches in a timely and due manner.
Putting your company through these steps might seem too daunting. However, this will result in deeper trust on the part of your customers, which will inevitably cause your company to thrive. If we want the digital economy to flourish, we need to take the necessary measures to guarantee the security of sensitive data.
Follow these steps to be prepared and be the key player in the global digital arena! If you need any help audit your procedures, feel free to apply for it in our company.