An action plan
So….what can you do now to prepare for GDPR?
NOW is the time to start putting together an action plan, and the following are suggestions as to what should be included in it;
1. Find out what you need to do to ensure compliance with GDPR within your organisation / sector.
2. You will need to appoint a Data Protection Officer (DPO). It may be, depending on the size of the business that the most appropriate person to do this is you, as the business owner. The important thing to consider here is that the DPO shares with the team / staff what GDPR is and that all employees understand what a ‘data breach’ is and who to report it to, why and how!
3. If your company / organisation handles a large amount of data, it is important that you understand ‘what data you hold and process’. This means that you need to be able to ensure that you have the ability to differentiate between personal data, client data and employee data, and also how it is all captured and stored.
4. All businesses need to have the ability to manage their data, which means that they are able to easily erase data from all systems and back-ups completely in line with ‘the right to be forgotten’ as well as being able to supply the details of any data held on request, this includes understanding how data is used as well as individual’s rights over their own data.
5. Businesses should update their procedures to enable them to detect and report breaches as soon as possible. There is also a potential requirement to perform a Data Privacy Impact Assessment (DPIA), this could be used to conduct a full review of activity, this may enable you to identify ways in which data could be breached.
6. Examine the data for your organisation and how you handle it to help understand what needs to be put into place for GDPR. This may need to include the DPIA review, as well as a review of correspondence, existing procedures and data that is portable for example. Companies may also need to review how they gain consent to use data.
7. Review your cyber protection to see if this needs to be enhanced.
8. Take a look at how you review your data and work at the moment, you may have robust systems in place already or good systems which need to be adapted, this could give you a head start, for example some ISO standards , such as 27018 and 27001 include security standards.
9. Take the opportunity to look at the ‘whole business’ as your standards will need to be consistent, and clients could ask for details which prove compliance for example. Ensuring that you have a plan in place demonstrates to clients and staff that you have taken GDPR seriously.
In the next blog we will look at using technology and the pitfalls to avoid for GDPR.