Key decision makers must sit down together and start devising a strategy that meets the requirements of GDPR if they are to achieve compliance in time for May.
Raise awareness and register it
Firstly, recording the transition process to GDPR compliance is an effective way of proving your company is willing to meet the new requirements. Also known as the data register, this record will show what data the business currently holds and where it originated from, outlining the organization’s reasons for processing it.
Compliance is not designed to obstruct or limit a business, but it instead questions existing processes and procedures to improve overall standard.
Businesses should review their existing digital and hard copy format privacy notices and policies and consider if they are concise, written in clear language, easy to understand and easily found.
It is also important to review how these notices and policies are communicated to the data subjects – it’s important that they are explained thoroughly, and that individuals understand how to lodge a formal complaint with the Information Commissioner’s Office if necessary.
Rights of the individual
The aim of GDPR is to give data subjects greater control over their personal data, allowing them to request that their personal information is edited or even deleted at any time. Perhaps one of the key drivers of the changes is the right for an individual to prevent their data being used for direct marketing purposes, as well as their right to challenge and prevent automated decision making and profiling.
Regardless of complaints, adopting transparent procedures will help mitigate potential future problems with the regulator. If companies already handle data carefully under the current guidelines, the transition to GDPR should not be a cause for concern.
Never assume consent
Obtaining and handling consent for the use of personal data is a bit of a tricky area under GDPR. Individuals must give clear consent for their data to be used, and if companies plan on using it differently to what was first agreed, they must obtain separate consent. Whatever way businesses attempt to obtain or confirm consent will help mitigate any future problems at the hands of the regulator.
Where data processing could pose a significant risk to individuals because of the technology that is being used or the scale of the processing, companies should undertake a Privacy Impact Assessment (PIA).
These assessments will help businesses and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes. Companies need to ensure they have a robust process for making the assessments and then record it, along with the outcome.
If a business routinely deals with personal data on a large scale, then it could be worth recruiting a dedicated data protection officer to oversee procedures, ensuring compliance at all times.
Companies must also consider written records, which are also covered by the regulations. It is important to ensure all staff are trained on the correct handling of personal data.
Remember, recording the compliance process using a data register is ultimately the most effective way to protect against data breach claims. Those organizations who can prove willingness to comply will fare better than those that don’t.
Paula Tighe is a qualified data protection professional and leads the trusted advisor information governance service. Experienced in working with small, medium and large private and public bodies, Paula advises on a range of data protection issues, including training design and delivery, marketing, housing, project management and ICT security.
Wright Hassall, a full-service law firm, advises clients across a variety of sectors including advanced manufacturing and engineering; food and agriculture; housing, development and construction; and gaming and digital media. Find out more at www.wrighthassall.co.uk
October 30, 2017