Business owners are being encouraged to plan and prepare for compliance now in light of the new General Data Protection Regulation (GDPR) as we begin to count down to the ratification of the Regulation into UK law.
We will take a look at how small businesses can prepare themselves for changes and offer some advice to business owners who are not certain of the GDPR implications on their business.
The changes in data protection due to be introduced into the UK will be the biggest change in data protection law and privacy laws in some time. Coming into force on 25 May 2018, the regulation is the completion of four years of debate within the European Union (EU).
It is important to note that the triggering of Article 50 and Brexit is not linked in any way to the ratification of the GDPR next year. In fact, the UK government has made it clear that we will be adopting, in its entirety, the GDPR despite Brexit.
What practical steps should you be taking now as you work towards compliance?
- Review and document all of your relevant policies for GDPR compliance. This will include all privacy policies and notices, current data protection policy, data sharing policy and information security policy surrounding your cyber security
- It is important that the GDPR is one of the key topics on your Board’s agenda and that adequate resources, time and budget is allocated to your GDPR compliance programme
- Carefully review and document the methods, procedures and processes you use to collect consent from data subjects and the systems you use to store that information
- Ensure you develop processes and procedures to manage data breaches and are able to notify the ICO of any major breaches within 72 hours
- Deliver GDPR training for all of your employees
- Review existing contracts including employee and 3rd party contracts, and make any necessary amendments
- Ensure that all personal data is processed in easily, well-structured, secure and searchable databases so that you can handle data subject access requests quickly and efficiently
- Appoint a Data Protection Officer, who should be senior enough to sit at Board level. If you choose not to do so then ensure you have an individual within your organisation who is given the responsibility and accountability to deal with data protection, data protection issues and the relationship with the ICO
- If for any reason you deal with the transportation of data outside the EU then ensure you have the relevant arrangements in place to ensure your GDPR compliance
- Schedule regular reviews to ensure that you are on track with your GDPR compliance plan and beyond
If you are in any in doubt about what you need to do or know, then the ICO website is always a very good point of reference.
If your organisation has already meet current requirements under the current Data Protection Act 1998 then your organisation is in a good position. Although the GDPR displays some significant challenges, you should also see this as an opportunity.
Many of your customers are becoming increasingly privacy literate and embracing the changes within the GDPR will only increase trust and strengthen your brand.