Implementation of the GDPR (General Data Protection Regulation) is looming as 25 May 2018, the deadline date, will soon be here. The GDPR is one of the biggest shake ups of data protection legislation for thirty years when the Data Protection Act 1998 came in. In order to protect personal data the law requires all organisations to tighten up on how they handle this from acquisition to destruction. In this article I provide tips to assist you with GDPR compliance.
1. Identify the data controller in your organisation. This should be a senior member of staff and is usually the Managing Director in a small company or with a larger organisation this can be either the Managing Director or a board member. The ICO (Information Commissioner) will need to be notified.
2. Consider appointing a Data Protection Officer. This person should deal with day to day data protection issues and be the company “fount of all knowledge” and the go to person for personal data issues. With a small company this role could be incorporated part time in an existing role. The Data Protection Officer role needs to know everything there is to know about data protection in order to give advice to colleagues. With a larger company the role could be recruited to or even appoint a consultant with data protection knowledge.
3. In order to comply with the GDPR it is essential to undertake a data protection audit as soon as possible. This could be coordinated by a project team from within the organisation or commission a consultant to undertake this potentially time-consuming task followed by the drafting of a report to highlight compliance gaps.
4. Having identified the compliance gaps gather together all the essential documentation that may be needed to comply with the law. Paperwork could include a data register, an asset register, asset management policy, updated IT policy, privacy notice, data protection officer job description, etc.
5. Review all existing documentation to see if it would stand up to scrutiny if there were a challenge to the integrity of processes. Changes may need to be made to employment contracts and staff handbooks for example.