With the May 25th deadline of the EU’s General Data Protection Regulation (GDPR) rapidly approaching your company should have already planned, budgeted and actioned its plan to meet GDPR compliance, but if you’re still behind the curve we’ve listed the absolute minimum requirements you need to take.
#1. Data Mapping
It may sound obvious but how can you expect to look after your company information if you don’t know what data you have, where and how it is stored and who is sharing or has access to it? The Article 30 requirement of the GDPR says that every data controller and processor must keep “records of processing activities.” A data inventory and data flow map of your company’s personal data will plot data in all of its forms, origins, paths, exit points and storage locations.
#2. Data Retention Plan
Records management is hardly likely to win any awards for glamour and is not something you would call fun, but it is an essential business process. The principles for data retention should be simple: Don’t bother collecting data if you don’t need it and don’t keep data unless it is absolutely necessary. Prolonged or uncontrolled data retention clearly increases the risk of a confidentiality breach so minimum data retention periods should be put in place to lower the risk of unauthorised access to documentation. Put simply: the less data a company holds the less it has the capacity to lose.
#3. Data Protection Policy/Statement
The impending GDPR requires exhaustive information disclosures to be made to both your customers and your employees, and hence will be both externally and internally focused. Disclosures should be comprehensive so as not to undermine the validity of consumers’ consent. There is little point in devising and implementing stringent policies only to have your business robustness undermined by external service providers or suppliers, so data protection obligations also need to be included within all 3rd party/supplier agreements.
#4. Data Protection Impact Assessment (DPIA)
Also known as privacy impact assessments or PIAs – These can help you identify the most effective way to comply with your data protection obligations and meet
individuals’ expectations of privacy. This means going through a structured process of identifying, documenting and reporting the likelihood and severity of privacy risks for individuals as well as measures of mitigation that the company intends to take. An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and any damage to reputation, which might otherwise occur.
#5. Data Protection Officer (DPO)
A Data Protection Officer (DPO) will generally need to be appointed, and GDPR requires that they should have professional experience and knowledge of data protection law. The DPO’s minimum tasks are defined in Article 39: To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). An existing employee can be appointed DPO but professional training will clearly be required.
#6. Data Privacy By Design
Essentially an approach to projects that promotes privacy and data protection compliance from the outset rather than bolted on as an after-thought or ignored altogether. The ICO encourages businesses to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.
Print Logic's suite of pre-built modular software products are designed to deal with many security and auditing challenges that your business will face as a result of the new GDPR legislation.
As well as assisting your business with becoming GDPR compliant our software also provides:
- Automation of daily tasks
- Solid security for your data
- Fast access to your information anywhere, anytime
- Ability to create a robust business plan
- Opportunity to improve your business processes