News

The GDPR Minefield

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998. Significant and wide-reaching in scope, the new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

Compliance is not a choice and time is short

GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you be able to demonstrate compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.

With the appropriate compliance framework in place, not only will you be able to avoid significant fines and reputational damage, you will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.

What is required and how to take action? The “7 Steps” to GDPR compliance

This checklist highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.

1. Establish an accountability and governance framework

To do: 

  • Brief management on the GDPR risks and benefits.
  • Gain management support for a GDPR compliance project.
  • Assign a director with accountability for the GDPR – A Data Protection Officer
  • Incorporate data protection risk into the corporate risk management and internal control framework.

2. Scope and plan your project

To do: 

  • Appoint and train a project manager.
  • Identify which entities will be in scope: business units, territories, jurisdictions.
  • Identify other standards or managements systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates information security best practice.
  • Assess the principle of data protection by design and by default against current or new processes and systems.
  • Consider Brexit implications in your planning.

3. Conduct a data inventory and data flow audit

To do:

  • Assess the categories of data held, where it comes from and the lawful basis for your processing.
  • Map data flows into, within and from your organisation.
  • Use the data map to identify the risks in your data processing activities and whether a data protection impact assessment (DPIA) is needed.

4. Conduct a detailed gap analysis

To do: 

  • Audit your current compliance position against the requirements of the GDPR.
  • Identify compliance gaps requiring remediation.

5. Develop operational policies, procedures and processes

To do: 

  • Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
  • Bring data protection policies and privacy notices in line with the GDPR.
  • Where relying on consent, ensure quality of consent meets new requirements.
  • Review and update employee, customer and supplier contracts.
  • Plan how to recognise and handle data access requests and provide responses within a month.
  • Have in place a process for determining whether a DPIA is required.
  • Secure personal data through appropriate procedural and technical measures.
  • Ensure policies and procedures are in place to detect, report and investigate a personal data breach.
  • Review whether the mechanisms for data transfers outside the EU are compliant.

6. Communications

To do:

  • A GDPR is a business change project – effective internal communications with stakeholders and staff is key.
  • Employees need to understand the importance of data protection and be trained on the basic principles of the GDPR and the procedures being implemented for compliance.

7. Monitor and audit compliance

To do:

  • Schedule regular audits of data processing activities and security controls.
  • Keep records of personal data processing up to date.
  • Undertake DPIAs where required.

Having supported many businesses, at 7 Step we are able to hold your hand through the many pitfalls of the new legislation to ensure you are fully compliant by the May deadline.