As the General Data Protection Regulation (GDPR) is coming into force tomorrow, 25 May, we are using our Newsletter in its new edition to highlight some of the important changes with which all businesses are having to coming to grip.
We see many of the changes in data protection law introduced by the GDPR as a positive step forward, as they increase your existing rights to data privacy and security, as well as improving the protection of your personal information.
Privacy is not a new concept, but the GDPR and the new Data Protection Act will ensure that we become trusted guardians of personal data . . . or face the consequences.
You may be surprised to read the next sentence, bearing in mind this is being published by a firm of solicitors. Contrary to what many commentators have been saying about the GDPR, compliance does not have to be overly complex. There are a handful of steps which are common to most organisations, and they form a logical process.
1. Assess, analyse and prioritise the risks
The first step to complying with the GDPR is to detail and assess the risks to your organisation and to the rights of the individual. This can be achieved in a variety of ways, including a readiness survey, GAP analysis, preparing a process register and then a risk register. It may be useful to present the risks in an organisational risk heat map, to focus understanding, effort and budget. In that way, the highest risks are allocated the greatest proportion of your time and resource. Preparing a process register is one of the most critical parts of these exercises. In order to fix a problem, you must first understand what is broken.
2. Create your policies, procedures and agreements
Once you understand the issues, you can implement appropriate policies and procedures. The following list forms a standard requirement, although your organisation may not require all items.
(a) PIMS (Personal Information Management System) – your PIMS is a template for you to develop and integrate with your existing policies. It is your “master control”, a live document unique to your organisation and, like your Process Register, will require your continual attention and adjustment.
(b) Process Register
(c) Organisational Privacy Risk Register
(d) Readiness Assessment and GAP Analysis
(f) Data Protection Policy Statement
(g) Privacy and Cookie Notice
(h) Privacy Procedure
(i) Training Policy
(j) Subject Access Request Procedure
(k) Records Management Policy
(l) Information Security Policy
(m) Data Protection Privacy Impact Assessment (DPIA) Procedure
(n) Consent and Consent Withdrawal Procedure
(o) Data Breach Procedure
(p) Complaints Procedure
(q) Data Sharing Policy
(r) Third Party Service Provider Agreement for Data Processing
3. Develop workable processes to plan for continual maintenance and improvement
Once your policies and agreements are in place, you can then develop the process controls to keep these up to date and relevant. Complying with the GDPR is far more than a paper exercise. Real changes must be demonstrated and provable in the very cultural fabric of your organisation.
If you would like any further information and advice on complying with the GDPR, please contact Justin Sadler on 0118 958 9711 or [email protected] Justin offers a no obligation one hour fixed fee meeting for £95 including VAT.