The New GDPR Regulations is already here. This will affect business and all of their suppliers. Working with personal information will be under strict control. It will affect all European citizen businesses and all other countries having access to European citizen personal information. Here are some important GDPR key tasks you can start with during the process of becoming GDPR Compliant.
Key Task 1. Registering with the ICO and paying a Data Protection fee
There is a new amount fee system which is going to replace the existing one that businesses should pay when registering data processing procedures with the ICO.
If your business already has a registration you don't have to pay the new data protection fee until the current registration has expired. For all other businesses that don’t have a registration until this moment, and aren’t exempt, will need to pay the new fee when GDPR becomes active on 25th of May this year. The size of the company will define the annual amount of the fee. These fees are used to support ICO's work.
Key Task 2. Creating/updating an Information Asset Register (IAR)
The asset registers show all different software your business work with.
IAR helps you to audit what personal information you’re storing by creating “map” of the data assets. Knowledge of how and where sensitive personal data is used allows you to decide what part of this data can be still processed, cleaned up or removed in accordance with the GDPR legislation.
Key Task 3. Reviewing / Creating Privacy Notices
- how the data you store will be used
- what’s the purpose of collected data
- who will have an access to the current data
- how long this data will be retained
Key Task 4. Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a tool which helps the organization to identify and analyse how data privacy might be affected by certain actions or activities. The DPIA should be managed by people familiar with the project in details and with appropriate knowledge- normally the team working on this project.
Key Task 5. Cyber Security Computer Network Upgrade
This document should describe your network structure and the type of devices used in it. The multiple connected devices can increase the risk of sensitive personal data being exploited, all network access endpoints need to have one entry dashboard.
This streamlines data management across the various endpoints, improve the visibility of the whole network so internal IT department can protect the flow of data, controls who can move through an endpoint to reduce any threats or risk of remote access and optimizes the detection and response time for suspicious activities.
Key Task 6. Procedures for exercising user rights
Most of the rights people have under GDPR aren’t new and they already exist under the Data Protection Act, so it is possible already to have experience in dealing with any requests, even if you don’t have a formal procedure. The GDPR compliance updates of the individual rights must be realized in your business procedure. See the list below:
- The right to be informed (of their rights and how to exercise them)
- The right of access to their data
- The right to rectification
- The right to erasure of their data
- The right to restrict processing of the data
- The right to data portability of their personal data
- The right to object to the use of their data
- Rights in relation to automated decision making and profiling.
Key Task 7. Data breach procedures / Disaster recovery
In case of data loss must be reported to the ICO within 72 hours. Then, you would also be required to inform the people whose data has been compromised (lost, sent to the wrong person etc) about what has happened.
Key Task 8. Reviewing use of consent
Very often people use consent for marketing activities or messages, website Cookies, online tracking, to install apps/ software on personal devices.It’s required consumers to easily understand that they have consent, and what they have consented to, without any important details hidden with small print. The GDPR compliant definition of consent includes additional requirements regarding how consent should be given.
Key Task 9. Review your contracts
Your contracts might contain personal data, meaning that they might be subject to the new regulation. Organisations should review their existing contracts and if there is needs to be re-drafted to be GDPR compliant.
Key Task 10. Website GDPR upgrade
GDPR will have a huge impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and e-commerce activities.
- SSL certificate
- Cookies facility and interactive selector
- Contact us form
- Cyber Security Vulnerability Report
- GDPR readiness assessment and recommendations
- Data encryption
Key Task 11. Assign Data Protection Officer / Administrator
The main role of the data protection officer (DPO) is to make sure that the organisation processes the sensitive personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
This could be an existing employee or externally appointed. The DPO must be specialist aware of new data protection legislation, adequately resourced, and communicate to the highest management level.
Key Task 12. Awareness and training
A key element is Focused, role-based training for staff whose processing with sensitive data.
To familiarise all employees to the critical compliance components, and to the management obligation for GDPR compliance will increase job effectivity. Giving your staff a clear understanding of GDPR requirements will assist the progress of their work.
Key Task 13. Prepare GDPR statement
Every company taking seriously the new data protection regulation should inform their clients about the new changes and areas covered by the new legislation. These actions are usually focused on:
- Internal data control and management processes
- Website updates
- Network updates