7 Steps to GDPR ComplianceDom Abbott
General Data Protection Regulation (GDPR) came into place on 25 May 2018 and is designed to modernise laws that protect the personal information of individuals. It replaces the Data Protection Act 1998 and introduces higher regulatory fines for non-compliance and data breaches.
There are many things companies must do to become GDPR compliant and avoid being fined. This is where SDR can help. SDR are experts in providing customised document storage, scanning and destruction solutions for all documents and IT equipment. You can be assured your data is handled securely and that your organisation will meet the requirements of GDPR.
1. Get to know your data
Getting to know all the personal data in your business is vital to ensuring you are GDPR compliant. Map where all of your personal data comes from and document what you do with it, where it resides, who has access to the data and any potential risks associated with it. Identifying this will enable you to manage your data efficiently and securely.
2. Spring clean your data
GDPR encourages a more regimented treatment of personal data so it is advisable to clean up your data, securely removing any data or information that is unnecessary or unused. It is important to consider why you are saving your data, what the benefits and goals are of keeping all of this personal information and whether disposing of it has more financial gain than encrypting it. Implement a data retention period and ensure any unnecessary data is deleted within the specified time limits.
You can further minimise the risk by limiting access to personal data to the specific employees who need it in order to perform their job.
Remember, personal data must be disposed of securely and safely to prevent a data breach. SDR are experts in destruction solutions for documents and IT equipment and will help you ensure that your data is disposed of confidentially and securely.
3. Secure your data
A breach of data not only contravenes GDPR and jeopardises your clients’ trust, it could also see you faced with fines of up to €20 million or 4% of group worldwide turnover, whichever is greater. Therefore, it is vital that you develop safeguards throughout your company by implementing security measures to prevent data breaches and quickly notifying individuals and authorities within 72 hours if a data breach occurs.
The Information Commissioner’s Office (ICO) recommends pseudonymisation and encryption of personal data as ways to reduce the risk of data subjects. Pseudonymisation encodes personal data with artificial identifiers and can be used to re-identify the subject whereas encryption renders data unintelligible so that only people with access to a secret key or password can read it. Either method provides a legitimate way to address the security of processing personal data.
4. Review consent guidelines
Under the GDPR, pre-checked consent boxes or implied consent are no longer acceptable. Instead, companies are required to gather explicit consent from clients regarding the acquisition and processing of their data. To comply with this, it is wise to review and amend your company’s processes for obtaining online and offline consent.
5. Update your website
There are a number of steps you should take to enable GDPR compliance on your website:
- Install a cookie banner notice so that when a user first visits your site, they can accept and choose which types of cookie they are happy for you to collect.
- Feature any required consent checkboxes on your web forms, ensuring they are unchecked and separate for each type of processing activity.
6. Educate your staff
Train your employees on what constitutes a personal data breach and teach them how to recognise and report any mistakes as soon as they are identified. Educate new staff on your data processing policies and keep existing staff updated on any changes to those policies. Encourage the entire team to think of personal data as a valuable commodity which needs to be protected at all times.
7. Implement data processing policies
Under the GDPR, individuals have a lot more control over their personal data. Consequently, businesses must have detailed policies that cover how they will obtain legal consent from individuals regarding their data, how they will delete or transfer a customer’s data securely and how best to communicate a data breach. Setting out a clear data protection policy will minimise risk to your data and build mutual trust between your clients and company.
GET GDPR COMPLIANT TODAY!
The GDPR massively affects how you must handle, dispose of and store personal data. It is best to devise and implement a clear, company-wide plan that details how you manage data in order to comply with the GDPR to avoid data breaches.
ORIGINALLY WRITTEN OCTOBER 2017; UPDATED MARCH 2019; JUNE 2019
Whilst SDR can advise on some of the steps you can take towards becoming GDPR compliant, you should seek legal and other professional advice on how to achieve full compliance.