GDPR – Practical advice to support your path to GDPR Compliance
Posted 2 years ago by aequitaslegal in GDPR & Data Protection
As most business emails and alerts are reminding us, General Data Protection Regulations (“GDPR”) is just around the corner. The new regulation take effect on 25th May 2018.
As someone who is part of the project team to ensure compliance with the GDPR in both my previous and current employment, I know and understand the hurdles business are facing.
Whilst there is an abundance of information, one of my observations is that there is lack of practical steps and advice being provided.
Therefore, this month email is about giving some practical steps for you to think about during your GDPR implementation.
- Audit – before you embark on implementing anything new for GDPR, ensure you know what the current state of play is. Therefore, you need to evaluate where your current data derives from, where it is stored, who has access to it etc. Therefore, my suggestions is to complete a data audit, which will then help you focus on what areas need updating for GDPR and which are already sufficient.
- Outsourcing– nowadays many businesses look to outsource certain business functions such as Payroll, HR and IT. If your business does outsource some of its business functions, then you need to ensure that any provider you are working with, who has access to your IT systems and data will be compliant with GDPR. If they have not contacted you yet to confirm their position as “GDPR ready”, then reach out to them and clarify what provisions they have place to be GDPR complaint.
For instances: –
- Where is our data hosted?
- Who has access to it?
- How does your system help us delete personal data?
- How does your system allow us to store consent?
- What data security provisions are in place?
- Physical office – most of the emphasis around GDPR is regarding your online environment. However, you also need to think about the physical environment as well as the online one. You need to think about the accessibility into the office and filing cabinets, with the aim of limiting the risk of someone from outside the business gaining access to the premises and to that personnel data. So key fobs to gain access, all cabinets locked unless in use should be things which you consider. It may also be worth considering who within your business can access your data and considering implementing restricted access to physical locations in your business, as well as your internal business drives.
- Consent – the message is clear that with any new individuals you engaged where you will hold/process their personal data, you need to obtain their consent. However, you also need to ensure get your current data subjects re-consent if you intend to use their details to continue to market new products and services you may have in the future. Therefore, we will need to issue a “consent letter” to your existing database to confirm if they wish to positively “opt in” to receiving relevant marketing materials in the future. The GDPR is clear in that people have to positively opt in, rather than the current state of play where you have deemed to have consented unless you “untick” the consent box.
If you have any questions regarding GDPR then please call us on 0161 358 0800.
Or enquiry about our GDPR Support Pack at £75 plus. The pack provides a details implementation plan looking at areas of: –
- Data Audits,
- Privacy Notice,
- Policies and Procures and
- Data Breach requirements.
As well as practical advice, the pack provides numerous template documents for you to use within your business such as a Data Privacy Notice for your website, consent letters to issues to new and existing client basis and an internal Data Protection Policy.