The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and many businesses and organisations still do not feel as though they are fully prepared. If you are feeling concerned about being ill-prepared for GDPR, it is important not to panic.
Hopefully, you should already have plans in place to ensure that you, and the employees who work for you, are aware of what GDPR stipulates and what actions are needed. If you have not already made these plans then you need to do so now. You also need to audit the data you hold and the way you process the data. It is from this baseline that you can start to ensure that your business or organisation is compliant. As you prepare for the introduction of GDPR, there are three important points that you need to pay attention to.
Know who is a Data Controller and who is a Data Processor
Under GDPR, data controllers and data processors can both be held accountable for any data protection issues that occur, but it’s still important that the difference between controllers and processors is recognised as the relationship needs to be detailed in any contracts that are signed. If you decide what personal data is processed, and how it’s processed, you are a data controller. If you process personal data on behalf of another business or organisation then you are a data processor. It’s important to recognise that businesses and organisations can be both controllers and processors. Any contract between a controller and a processor should define the relationship and the need for GDPR compliance.
Prepare for the Worst: Monitor Your Network for Breaches
If you have a robust data processing system in place, that is secured, you may not experience any problems. But, the fact is that, even with secure systems, it is still possible to suffer a data breach. If this happens, the breach needs to be reported to the Data Protection Authority (DPA) within 72 hours of the business or organisation becoming aware of the breach. Any data subjects whose privacy is put at significant risk by the breach must also be advised, without undue delay. It is important that your business or organisation puts processes in place to ensure that it can comply with these requirements.
Prepare to Deal with System Access Requests
System Access Requests (SARs) will still exist, under GDPR. There is a good chance that they will increase in number as people will become more aware of their rights and businesses and organisations will not be able to charge for providing a response to a SAR, except in certain circumstances.
It is also important to note that individuals now have the right to receive their data in a machine readable format. All of this means that you need to ensure that you have processes and procedures in place that are robust enough to ensure your business or organisation can respond to SARs within the required 40 day time limit.