The General Data Protection Regulations are the most significant changes to data privacy laws since 1995. Compliance is essential for any organisation that collects or processes data within the EU. This article shall give a brief overview of some of its most essential aspects of GDPR compliance, but it is strongly recommended that if there is any uncertainty in the application of GDPR, that your organisation seeks legal counsel.
How to become GDPR compliant:
1) Become familiar with GDPR
Any organisation that falls under the jurisdiction of GDPR should familiarise themselves with the legislation, the language used in it, and what it expects of organisations. A thorough awareness of the new regulations is essential in ensuring that the processes and procedures of the business are such that they meet with GDPR requirements.
2) Perform an audit on their data
All organisations covered by GDPR are required to know the details of the data they hold, where they hold the data, why they hold the data, and which employees are responsible for managing it. The most effective way of obtaining this information is by performing a thorough audit of the data. One of the most significant changes introduced by GDPR involves how organisations obtain consent from individuals to use their data. Organisations must also ascertain whether they have obtained appropriate consent, and consequently whether they can still legally process the data. If the organisation finds that it had not obtained the appropriate consent, or if the consent has expired, they may need to delete the data.
3) Check processes and procedures
GDPR requires all businesses to know what data they, where and how they store it, and who is responsible for managing it. Organisations must ensure that they can have processes and procedures in place to enable compliance with these requirements. They also need to fully document these processes and procedures so that they can prove they are acting in compliance.
4) Check consent processes
Businesses need to ensure that they have obtained explicit consent from individuals to process personal data, except if there are valid legal reasons for them to process the data. Businesses must inform individuals of the specific reason for processing. There can be no
ambiguity over whether or not the business obtained appropriate consent. Individuals need to take an unambiguous affirmative action to agree to its use.
Therefore, it’s no longer permitted for a business to use pre-checked tick boxes or silence on a telephone line to obtain consent. All consent gathered in such a fashion is no longer valid. Organisations must contact individuals and obtain their consent again to continue using this data.
5) Recognise high-risk data and processes
Article 9 of GDPR covers “high risk” data. Businesses need to assess whether aspects of their data processing might be covered by Article 9. Businesses may need to alter their businesses practices to account for high-risk data. If the business does not have the capability to adjust its practices properly, the business should seek advice from the relevant Data Processing Authority (DPA) before they attempt to process any of the data.
6) Plan for a data breach
GDPR introduces strict new procedures that must be followed in the event of a data breach. Organisations must report data breaches within 72 hours of discovery. Therefore, small businesses must have a contingency plan in place to ensure that if a data breach were to occur, they can meet this strict deadline and enact damage control procedures.
7) Consider hiring a data protection expert
The appointment of a data protection officer (DPO) is only a requirement for large businesses under GDPR. Regardless, if it is within the means of a small organisation, they should consider doing so. Furthermore, if the business is processing sensitive information, as described in Article 9 of the GDPR, it may be a requirement for them to do so.
If an organisation find themselves unable to hire a DPO, the business may use a third- party expert or providing suitable training to someone who already works within the business. The DPO’s roles include educating staff members on subject data rights, advising the organisation on data management and GDPR compliant, assessing IT networks and data security systems on their effectiveness, monitoring internal data compliance and cooperating with the Lead Supervisory Authority.