With just under two months until the GDPR (General Data Protection Regulation) becomes law in the UK (25 May 2018) what do we think are the key things to concentrate on now?
1. GDPR is a great opportunity for you to start your journey towards data protection compliance. It’s not a destination. This means that you can start making changes now, and continue embedding better compliance activities after 25 May.
2. Think about what personal data you are already processing, why, where you are holding it and for how long? If you don’t need it anymore – spring clean and get rid of it.
3. A retention schedule outlining timescales for holding personal data is crucial. It is likely that there will be other reasons (legal/regulatory) such as pension commitments, gift aid, tax etc that will determine for how long you need to retain personal data.
4. Don’t set an arbitrary timescale for retaining personal data because this could mean you are breaking other laws/obligations you may have to keep personal data for a specific period of time.
5. Review and amend your privacy notice. Part of your obligations under GDPR is to be clear and transparent about what you are doing with personal data and why etc?
6. Communicate your privacy notice in accessible language. Make sure your privacy notice has prominence on your website and also think of other ways you can communicate your policy on processing personal data at the point of collection. Remember that not everyone has English as a first language and your privacy notice should also take into account different levels of literacy, ages etc
7. Establish an internal procedure to deal with data breaches. You should document all data breaches, as well as ensure that data breaches with the potential to impact on the rights and freedoms of any individuals are declared to the Information Commissioner’s Office (ICO).
8. Register where you are required to do so with the ICO as a Data Controller and put in place a named Data Protection Officer (DPO).
9. Review your contracts with those who are processing your personal data. Any data processors must demonstrate compliance with the GDPR. You must pay particular attention to any data processors located outside the EU.
10. Breathe in Data Protection. Think about it from both an operational and strategic perspective. Build it into project planning, staff training and awareness. Finally, think about how you can continue your journey towards a “Privacy by Design” culture post 25 May and allocate resources and time accordingly.
Naomi Korn, Managing Director
(c) NKCC, 2018. Some Rights Reserved. This article is licensed for reuse under a Creative Commons Attribution Share Alike Licence.