GDPR – 12 steps to help you become compliant

aat comment

GDPR day has been and gone. Are you compliant?

Let me explain about compliancy. Being GDPR compliant is not a tick in the box. I work with lots of businesses of varying sizes and none of them are 100% compliant, 100% of the time.

What you can have in place are robust policies and procedures, which guide the organisation and show the best practice that should be operating. You can train your staff in those procedures and make sure that they are aware of what they need to be doing.

But it only takes one person to be hurrying, not concentrating or unclear about what they need to be doing to make a mistake. That mistake could lead to a data breach.

But what if I haven’t started yet?

GDPR is:

  • an evolution of the existing Data Protection Act 1998 and not something completely new.
  • not a “finishing line” to be crossed by the date, it is in fact a “starting line”.

If you’re Data Protection Act compliant then you just need to formally review and enhance how you’re collecting, using and sharing an individual’s personal information to make sure that you’re telling them exactly what you’re doing with it. You also need to demonstrate that you’re considering and protecting their rights and interests.

It’s a “starting line” because at the moment GDPR is just a legal framework to work within, with lots of aspects requiring each organisation to produce their own interpretation. Once enforcement action starts by the Information Commissioner in the UK, and her counterparts across Europe, “best practice” will be created. Those already working that way will be relieved that their interpretation is acceptable, whilst those who are not will need to change how they’re handling personal information.

Am I breaking the law?

Whilst you’ll technically breaking the law, don’t panic. Work through what you need to do in a logical way and have a compliance plan. The Information Commissioner is likely to take a more lenient view of an organisation starting their compliance journey late than one which has done nothing.

12 steps to becoming compliant

By getting these 12 steps underway as soon as possible, you’ll be complaint in no time at all!

  • Understand the GDPR basics – personal information is the individual’s to share or not as they choose
  • The who, what, why – understand what personal information you’re collecting, how you use it, where it’s stored, who you share it, and when it’s deleted – a “data audit”. Also make sure you document it.
  • Email Marketing – don’t forget that it not only has to comply with GDPR but also PECR (Privacy and Electronic Communications Regulations)
  • Consent – it’s one of the legal bases for using (processing) personal information. If it’s the one you’re using make sure you collect it in the right way and don’t forget it’ll need refreshing a maximum of every two years. Read my earlier blog on consent for the detail of how to get it right!
  • Privacy Notices – the essential information to give individuals when asking them to give you their personal information. They need to be sufficient to give the individual a real choice as to whether to give you their data.
  • Data Controller – Are you a data controller? Have a read of my earlier blog to help you decide.
  • Data Processor – Are you a data processor? Have a read of my earlier blog to help you decide.
  • Cloud storage – As part of the “data audit” you did earlier you’ll have identified where your data is stored, the key thing is whether it’s in the EEA or not; because you need to say in your Privacy Notice if it isn’t.
  • Sharing – Again as part of your “data audit” you should already know who you’re sharing the personal information you’ve collected with. You’ll need to have a detailed data processor agreement in place as outlined in my earlier blogs.
  • Retention – Make sure you only hold personal information for as long as you need it. Have a documented retention policy.
  • Subject Access Requests (SAR’s) – Individuals have a right to see copies of all of their data that you hold and you have to provide it within 30 calendar days of receiving the request.
  • Policies & Procedures – support everything you do with appropriate policies and procedures to help demonstrate that you treat individual’s personal information in accordance with GDPR.

There’s lots of information and advice available to help you form the ICO’s website and the various law firms have lots of information too. There is also my website to help you with the practical implementation.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles