The General Data Protection Act (GDPR) becomes law on 25 May 2018, so it’s important that all businesses and organisations are aware of GDPR best practices. Failure to adopt these GDPR best practices could result in non-compliance. This in turn could lead to businesses facing heavy fines, or other sanctions. No business can afford for this to happen.
Of course, complying with the GDPR also means that businesses can maintain a good reputation with customers who value protection of their personal data. After all, no-one wants their personal data to be compromised. What GDPR best practices can your business adopt to prepare for May 2018?
Know what the GDPR is about
The first thing you need to do is ensure that you know what the GDPR is about and what has changed. This helps you and others in your business to understand the new policies that you have to follow. One of the main aims of the GDPR is to give people living in the EU greater control over the way their personal data is handled. As previously, individuals can ask to see the data that is held, using a system access request (SAR). The processing time for these requests has been reduced to 40 days, under the GDPR. Individuals also have the right to ask for data to be amended or deleted in certain cases, except when there is a valid legal reason for retaining the data.
Another aim of the GDPR is to ensure that the protection of personal data is dealt with in the same way across all EU states. Although individual Data Protection Authorities will have leeway in some areas, such as the imposition of fines, it’s expected that they will liaise closely with one another. This means that there should be a new uniformity to data protection management in the EU.
Understand what the GDPR means for you
It’s fine to know why the GDPR has been created, but your business cannot hope to meet GDPR requirements if it does not understand how it is affected by the GDPR. Many businesses believe that they do not have to comply with GDPR. For a great number of these, this is not true. Most online businesses will find that they are affected by the new regulations. Here are some facts which you may find interesting.
- Every business that processes the personal data of people living within the EU has to comply with the GDPR. This includes businesses across the globe; not just businesses that are based in EU states.
- Every business that employs more than 250 people must appoint a Data Protection Officer (DPO).
- The GDPR does not just apply to businesses that employ more than 250 people. Small businesses must also comply with the GDPR if they process personal data on a regular basis, or if they are involved in processing sensitive data, as defined in Article 9 of the GDPR.
It’s vital that you know how the GDPR relates to your business, and that you acquaint yourself with the new regulations. If you do not have this knowledge, you cannot go on to ensure that your business is prepared for the GDPR’s implementation.
Audit the data that you hold
There are several changes to the current personal data processing rules that have come about with the introduction of the GDPR. One of the biggest changes surrounds consent. Data subjects now have to give informed consent for data to be used for a specific purpose, unless there is another legitimate legal reason for the data to be held and processed. Data subjects also need to take an unambiguous and affirmative action in order to provide consent. It’s no longer sufficient for pre-checked tick boxes to be used, as inaction is not a valid method of obtaining consent.
You need to ensure that all of the personal data that you hold is audited, to guarantee that it meets with the requirements of the GDPR, including the revised consent requirements. If consent was acquired under different circumstances, it must be reacquired to meet the new standards.
Develop mechanisms for the management of data
Every business needs to know exactly what personal data it holds, and processes, where the data is, how it was obtained, whether the data needs to be retained, and who is responsible for managing the data. This is why you need to develop mechanisms for your business that meet all of these requirements.
For instance, when considering GDPR best practices, it is important that businesses only keep data in relation to the purpose for which it was originally collected. If the purpose no longer exists, the data must be deleted, unless there is another legally valid reason for continuing to store or process it. Making sure that data is deleted, when it should be, also benefits the business; the less data that is held, the less damage that can be caused if there is a data breach and the less data that must be sifted through to respond to SARs.
Ensure that reporting processes meet with the GDPR requirements
When the GDPR is introduced, businesses will not just need to be compliant; they will need to be able to show evidence of their compliance. In order to be able to do this, every business needs to keep comprehensive records of its policies and procedures, as well as checks that the business makes.
This is a very important part of GDPR best practices, as it will not be sufficient for a business to simply appear to be compliant, it will need to be able to provide sufficient documentation to the Data Protection Authority (DPA) to prove its compliance. Failure to do so could result in sanctions being applied.
Risk assess the data you hold
A major factor in complying with the GDPR will be risk assessment. Every business needs to assess the risks associated with the data it holds and the way it manages this data. Businesses should use Data Protection Impact Assessments (DPIAs) to help them gauge the level of risk and the potential harm associated with all the personal data they hold. It’s the responsibility of each business to ensure that any identified risks are mitigated against.
If you are looking at GDPR best practices for your business, you should be aware that you need to take action if it seems that no mitigation is possible. If this is the case, the business needs to consult with the relevant DPA, before the data is processed. It is expected that cases like this will be the exception, not the rule.
Ensure that you have a Data Protection Officer (DPO) in place
Any business that employees more than 250 people and processes personal data will need to have a DPO in place once the GDPR comes into force. This means that there is likely to be a shortage of qualified DPOs. This is not necessarily an issue, as the GDPR does not stipulate that DPOs need to hold a certain qualification. This means that companies can move an existing employee into the role.
However, all DPOs need to have an in depth knowledge of the GDPR. They also need to be able to develop plans for the management and protection of the personal data that is held by the business. This means that it may be necessary for the individual that undertakes the role to receive training. If your business is intending to move someone into the DPO role, you need to ensure that any necessary training is completed in plenty of time in order for your business to introduce the necessary procedures to be compliant.
Alternatively, a business can use a third party DPO. Any business that chooses to do this needs to consider GDPR good practices at all times. The third party DPO will be regarded as a business which processes personal data. This means that they must also comply with the GDPR, so businesses need to make sure this is addressed when contracts are signed.
Ensure employees are aware of GDPR best practices
The aim of this article is to take a look at GDPR best practices from the point of view of the businesses that it affects. However, it’s not just business owners, CEOs, or DPOs that need to be aware of these best practices. Every person that is involved in the processing of data needs to understand the effects and he implications of the GDPR.
This is because every person needs to follow the rules and regulations that are in place in order to ensure that the business is compliant as a whole. It is good practice to ensure that employees have been properly trained in their GDPR requirements so that they understand their responsibilities and how they fit with the compliance of the business as a whole.
Create a data breach reporting plan that works
Businesses need to take action to ensure that they comply with the GDPR and do everything they can to avoid any problems with the data that they process. Even if businesses do this, there is still a chance that a data breach night happen. The potential damage from a data breach can be huge, especially when a large multinational company is involved. This is why, under the GDPR, data breaches must be reported within 72 hours of discovery.
In order to ensure that this happens, businesses need to have a detailed plan in place about how they will deal with a data breach if it happens. It is all about working towards the best scenario while also planning for the worst.
According to reports, many businesses feel unprepared for the introduction of the GDPR. This is worrying, given that businesses that do not comply could be hit with costly sanctions. If your business is not fully prepared, it is time to take action.
In this article we have taken you through some of the GDPR best practices that you need to consider if you want to be ready when the GDPR becomes law. Adopting these best practices should help your business to be ready in time, and to continue to be fully compliant with the GDPR.