Businesses should familiarise themselves with GDPR best practices maximise their chances of achieving compliance. GDPR is a complex piece of legislation, but organisations that facilitate their compliance journey ensuring that particular methods and practices are adopted. This article outlines some of the best practices that organisations can follow.
Carry out an audit
One of the most significant changes introduced by GDPR concerns changes in how organisations obtain consent from individuals to use and collect their data. Organisations must obtain informed consent from data subjects to use their data for a pre-defined purpose. Only organisations that can produce a legitimate legal reason for the personal data to be held or processed are exempt from this rule.
This ruling means organisations can no longer use pre-checked tick boxes to obtain consent; data subjects must deliberately give consent. It is possible that an organisation may need to re-obtain consent from individuals who had their data collected in this manner.
By performing an audit, businesses can ensure that all of the data they hold to meet GDPR’s requirements. The audit should assess what data the organisation holds, how it is stored, and for what purposes it is used. The audit allows businesses to identify issues which may need to addressed to ensure full compliance is reached.
Data management systems
Following the audit, businesses should implement data management systems, so they keep a record of what personal data they hold and process, where that data is stored, how they obtained it, whether or not the need for the retention of the data still exists. They should also be aware of which member of staff is responsible for the management of the data. Developing data management processes allows businesses to comply with GDPR efficiently.
Businesses should only keep data if it is still useful for the purpose for which they originally obtained it. If it is no longer useful, the organisation should safely delete the data. Organisations should have a valid legal reason for keeping the data and processing it if the original purpose no longer exists. It is a good practice to regularly delete data, as the less data an organisation holds, the less damaging a breach of that data would be.
Compliant reporting processes
Regulatory authorities may require businesses to provide evidence that they are compliant with GDPR. If businesses keep detailed records of their policies and procedures, then they can easily prove that they follow GDPR’s requirements. If businesses fail to present the regulatory authority with sufficient evidence, they may be subject to a fine.
Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) allow businesses to assess the risk level of different types of data they hold. Furthermore, it allows them to plan for the event of a data breach, as some types of data would be more damaging than others if it were to be compromised. Businesses are responsible for ensuring that all risks are identified and mitigated. DPIAs are a critical GDPR best practice.
Train staff in GDPR best practices
Employees must understand their responsibilities under GDPR. The regulations require all employees to undergo training. The amount of training that an employee undergoes may be tailored to their specific role. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen. Furthermore, employee ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, which may result in millions of files being stolen by a hacker.
Employee training should be held regularly, in short sessions. Employees should be engaged during the training course, and tested on their understanding of their responsibilities under GDPR. Certain aspects of GDPR, such as the rules surrounding data processing are more applicable in a day-to-day setting and should be allocated more time. Employees should be served regular reminders on issues such as IT best practices and the dangers of cyber attacks.
It is essential to keep a record of training sessions, such as who attended, what the session covered, and how regularly they occur. As employee training is a requirement of GDPR, auditors may need to see records of the training sessions.
Data breach response plan
GDPR introduced strict requirements that organisations must follow in the event of a data breach. It is a GDPR best practice to ensure that the organisation plans for a potential data breach well in advance and ensure that its employees understand their responsibilities in the aftermath of a breach. GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.
Furthermore, GDPR stipulates that the organisation is required to notify individuals that their data has been compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.