The General Data Protection Act (GDPR) becomes law on 25 May 2018, so it’s important that all businesses and organisations are aware of GDPR best practices. Failure to adopt these GDPR best practices could result in non-compliance. This in turn could lead to businesses facing heavy fines, or other sanctions. No business can afford for this to happen.
Of course, complying with the GDPR also means that businesses can maintain a good reputation with customers who value protection of their personal data. After all, no-one wants their personal data to be compromised. So, what GDPR best practices should your business is adopting, in preparation for May 2018?
Know what the GDPR is about
The first thing you need to do is ensure that you know what the GDPR is about. This helps you and others in your business, to understand the new policies that you have to follow. One of the main aims of the GDPR is to give people living in the EU greater control over the way their personal data is handled. As previously, individuals can ask to see the data that is held, using a system access request (SAR). The processing time for these requests has reduced to 40 days, under the GDPR. Individuals also have the right to ask for data to be amended or deleted, except when there is a valid legal reason for retaining the data.
Another aim of the GDPR is to ensure that the protection of personal data is dealt with in the same way across all EU states. Although individual DPAs will have leeway in some areas, such as the imposition of fines, it’s expected that they will liaise with each other. This means that there should be a new uniformity to data protection management in the EU.
Understand what the GDPR means for you
It’s fine to know why the GDPR has been created, but your business cannot hope to meet GDPR requirements if it does not understand how it’s affected by GDPR. Many businesses believe that they do not have to comply with GDPR. But is this true? Most online businesses will find that they are affected by the new regulations. Here are some facts which you may find interesting.
- Every business that processes the personal data of people living within the EU has to comply with the GDPR. This includes businesses across the globe; not just businesses that are based in EU states.
- Every business that employs more than 250 people must appoint a Data Protection Officer (DPO).
- GDPR does not just apply to businesses that employ more than 250 people. Small businesses must comply with the GDPR if they process personal data on a regular basis, or if they are involved in processing sensitive data, as defined in Article 9 of the GDPR.
It’s vital that you know how GDPR relates to your business, and that you acquaint yourself with the new regulations. If you do not have this knowledge, you cannot go on to ensure that your business is prepared for GDPR implementation.
Audit the data you have
There are several changes to current personal data processing rules, that have come about with the introduction of the GDPR. One of the biggest changes surrounds consent. Data subjects now have to give informed consent for data to be used for a specific purpose, unless there is another legitimate legal reason fo the data to be held and processed. Data subjects also need to take a definite action in order to provide consent. It’s no longer sufficient for pre-checked tick boxes to be used.
You need to ensure that all of the personal data that you hold is audited, to ensure that it meets with the requirements of the GDPR, including the revised consent requirements.
Develop mechanisms for the management of data
Every business needs to know exactly what personal data it holds, and processes, where the data is, how it was obtained, whether the data needs to be retained and who is responsible for managing the data. This is why you need to develop mechanisms for your business that meet all of these requirements.
For instance, when considering GDPR best practices, it’s important that businesses only keep data in relation to the purpose for which it was originally collected. If the purpose no longer exists, the data must be deleted, unless there is another legally valid reason for continuing to process it. Making sure that data is deleted as it should be also benefits the business; the less data that is held, the less damage is caused if there is a data breach.
Ensure that reporting processes meet with GDPR requirements
When the GDPR is introduced, businesses will not just need to be compliant; they will need to be able to show evidence of their compliance. In order to be able to do this, every business needs to keep comprehensive records of its policies and procedures, as well as checks that the business makes.
This is a very important part of GDPR best practices, as it will not be sufficient for a business to simply appear to be compliant, it will need to be able to provide sufficient documentation to the Data Protection Authority (DPA), to prove its compliance. Failure to do so could result in sanctions being applied.
Risk assess the data you hold
A major factor in complying with the GDPR will be risk assessment. Every business needs to risk assess the data it holds, and the way it manages the data. Businesses should use Data Protection Impact Assessments (DPIAs), to help them gauge the level of risk, and the potential harm, associated with all the personal data they hold. It’s the responsibility of each business to ensure that any identified risks are mitigated against.
If you are looking at GDPR best practices for your business, you should be aware that you need to take action if it seems that no mitigation is possible. If this is the case, the business needs to consult with the relevant DPA, before the data is processed. It’s expected that cases like this will be the exception, not the rule.
Ensure that you have a Data Protection Officer (DPO) in place
Any business that employees more than 250 people, and processes personal data, will need to have a DPO in place once the GDPR becomes a reality. This means that there is likely to be a shortage of qualified DPOs. This is not necessarily an issue, as the GDPR does not stipulate that DPOs need to be qualified. This means that companies can move an employee into the role.
However, all DPOs need to have an in depth knowledge of the GDPR. They also need to be able to develop plans for the management and protection of the personal data that is held by the business. This means that it may be necessary for the individual that undertakes the role to receive training. If your business is intending to move someone into the DPO role, you need to ensure that any necessary training is completed in plenty of time, in order for your business to be compliant.
Alternatively, a business can use a third party DPO. Any business that chooses to do this, needs to consider GDPR good practices at all times. The third party DPO will also be regarded as a business which processes personal data. This means that they must also comply with the GDPR, so businesses need to make sure this is addressed when contracts are signed.
Ensure employees are aware of GDPR best practices
The aim of this article is to take a look at GDPR best practices, from the point of view of the businesses that it affects. But, it’s not just business owners, CEOs or DPOs that need to be aware of these best practices. Every person that works for a business, and is involved in the processing of data, needs to understand the effects of the GDPR.
This is because every person needs to follow the rules and regulations that are in place, in order to ensure that the business complies overall. It’s good practice to ensure that employees have GDPR training, so that they understand their responsibilities, and how the fit with the compliance of the business as a whole.
Create a data breach reporting plan that works
Businesses need to take actions, to ensure that they comply with the GDPR, and do everything they can to avoid any problems with the data that they process. But, even if businesses do this, there is still a chance that a data breach night happen. The potential damage from a data breach can be huge, especially when a large, multi-national company is involved. This is why, under GDPR, data breaches must be reported within 72 hours.
In order to ensure that this happens, businesses need to have a detailed plan in place, about how to deal with a data breach if it happens. It’s all about working towards the best scenario while also planning for the worst.
According to reports, many businesses feel unprepared for the introduction of the GDPR, in May 2018. This is worrying, given that businesses that do not comply could be hit with costly sanctions. If your business is not fully prepared, it’s time to take action.
In this article we have taken you through some of the GDPR best practices that you need to consider, if you want to be ready for when the GDPR becomes law. Adopting these best practices should help your business to be ready in time, and to continue to be fully compliant with the GDPR.