The General Data Protection Regulation (“Regulation”) is looming; introducing increased rights for data subjects and heavy fines for businesses, we have created a very simple guideline for business to follow to ensure compliance.
These include the following:
- Determine whether your organisation is subject to the proposed Regulation by assessing where your business is carried out and with whom (example inside or outside of Europe).
- Carry out an audit of the data held by your organisation;
- What data do you have?
- Why do you have it?
- How long you have held the data?
- How you use that data?
- Ensure contracts with data processors are thoroughly reviewed. For example: to determine where cloud data is hosted, how it is backed up and how it is encrypted.
- Carry out a gap analysis of the systems and processes you currently have in place: consider which other things will require implementation to demonstrate your compliance with the new Regulation.
- Once you have carried out your analysis above, implement systems and procedures to ensure compliance with data protection laws. These may involve putting any policies and procedures in place to handle issues which arise (such as what should staff do in the event of complaints/data breach/subject access request).
- Review your company processes as to how customer consent to marketing is obtained and recorded within your organisation.
- Offer training to your staff.
- Appoint a Data Protection Officer if your organisation processes large scales of special categories of data and processing and requires regular monitoring or if you are holding data records of more than 5,000 people.
- Keep internal records and detailed documentation of your processing activities and ensure these records are regularly updated and are available when requested by Data Protection Authorities.
- Enforce strict data privacy measures to prevent unauthorised access, use and disclosure of personal data.
Businesses will have to assess the risks that their processing activities pose to data subjects; if the business is a low risk one then the risk of fines is low; if the business is high risk then given the increased fines being proposed, more compliance will be required. Such businesses would be advised to carry out a compliance audit at an early stage. This will ensure they are prepared in time for the new Regulation.
Nath Solicitors can provide help with data risk assessment services. If you would like to discuss how we can help; please contact us for an initial consultation on +44 (0) 203 670 5540 or email firstname.lastname@example.org.