Twelve Steps to GDPR nirvana… the first six cream crackers!
Last week we looked at a general introduction to GDPR – if you missed that article please do go and look on our website where that, and all my weekly newsletters, are published. This time around we shall actually get stuck in so go get a cuppa tea – you’re going to need it!
The Information Commissioner’s Office (ICO) have published a twelve-step guide for compliance; let’s look at six of those steps and how they relate to the small business – I’d do more but it’s a bit like trying to eat 12 cream crackers at one time!!!
You need to know that the law is changing to the GDPR. Many of us are already compliant under the Data Protection Act (DPA) so what we need to do is assess the impact that the new regulations will have on our organisations and what we need to do to become compliant.
2. What information do you hold?
You should document what personal data you hold, where it came from and who you share it with. You may need to undertake an information audit. This can be quite a simple task but you really need to take a couple of hours to review the information you hold. Doing this will enable you to comply to the GDPR’s accountability principle, which requires that organisations demonstrate that they have written data protection policies.
3. Communication Privacy information
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This can be done through a privacy notice or, for many small companies, at the time you collect the data. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
4. Individuals Rights
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted.
5. Subject Access Requests
So, if you are contacted by a client of whom you hold data you need a policy on how you will handle such a request. Again, this is not difficult but in that morning you take out to contemplate GDPR make writing a Subject Access Request Policy one of your goals.
6. Lawful Basis for Processing Personal Data
You will also have to explain your lawful basis for processing personal data when you answer a subject access request. The lawful bases in the GDPR are broadly the same as the conditions for processing in the DPA. It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so. You should document your lawful bases in order to comply with the GDPR’s accountability requirements.
…so, with six cream crackers in our mouth I think we’re about dried out! Go have a sip of your tea! We still have consent, breaches and protection of children to go through!
I hope that this blog, dry as it is, does give you some positive pointers about the new GDPR. I honestly believe that it is not as bad as it sounds and with some planning every small business can easily achieve compliance.
Next week we will look at the next six steps and what you can do to reach that GDPR nirvana.