GDPR is coming. If you don’t know anything about it, first head over to the Information Commissioner’s Office and get yourself acquainted. This article will give you some practical steps you should be taking now to prepare.
First, let me address the objections:
We don’t have any personal data – Do you have employees? How about marketing lists or address books? Businesses will always involve people so it is highly improbable that you don’t have any personal data.
We are mid-Brexit everything will change – The ICO have already said we will be going ahead with this regulation. The nature of the changes are a natural extension of the existing data protection regulations, but with bigger fines.
Regulators rarely fine, we’ll wait till they start making waves – Probability is that you will not be hit with an audit. But if you are and you fail to demonstrate compliance the fines are up to 4% of global turnover.
Starting your GDPR Journey
Creating a list of the repositories
Create a list of all the repositories in which you have personal data. The new definition of personal data also extends the previous data protection definition and can include IP addresses.
Extend your search beyond the obvious main applications/systems. Consider local desktop files like documents and spreadsheets. Think about the various other mediums those files could be moved on to, such as USB drives or smart phones. Don’t forget hard copy printed documents. CCTV and telephone call recordings can also be subject to the regulation.
You will likely end up with a long list of items. It may be helpful to identify the key information repositories and link all the of the copies of that information to it. For example, you may have a central list of employees in your HR system and consider the printed files a subset of this information.
Creating a list of the processes
Once you have a list of the repositories, you need to document the processes which are performed on the data. That can be a descriptive narrative, a set of steps or a pretty diagram.
Identifying Owners and Metadata
For both the data repositories and processes identifying a business owner is an important step. Once you have this gather the various meta information.
For the data, this should include, Where did the data originally come from? What consent does the company have from the data subjects? What is the purpose of retaining the data? How long will the data be retained for? Physically where is the data stored? What controls are there for the data repository? Is the data ever transferred to another party? How is the data removed?
For the process, this should include, What are the steps to the process? Why is the use of the data necessary? What controls are there on the process? How are temporary copies of the data destroyed?
When identifying third parties either as a source for data or where data is sent you should be reviewing whether or not that party is acting in accordance with GDPR principles.
This guide is only an introduction, once you have this core set of information about the repositories and processes you can then move on to looking at the following.
- Defining a Data Protection Policy including adjustments to the control framework.
- Staff Training and Awareness to communicate the new requirements.
- Data Privacy Impact Assessments
- Breach Notification Procedures
- Data Transfer Logs
- Data Subject Requests (Access, Correction, Erasure, Limitation)
- Third Party Risk
- Data Subject Parental Approval (only applicable with data held for those 16 or under.
- Data Minimisation / Pseudonymisation to reduce the numer of repositories.