With less than 2 weeks until GDPR comes into force on 25 May 2018, is your firm on the journey to getting data protection ready? If not, here are our top ten tips to get you started…
1. Conduct a self-assessment/compliance audit
Ensuring that your firm is ready for GDPR need not be an overwhelming task. At the recent Data Protection Practitioners’ Conference, Elizabeth Denham, the Information Commissioner said ‘it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning. This is a long haul journey…” Therefore, firms need to ensure that preparations have begun and continue beyond 25 May 2018.
A starting point is therefore to conduct a self-assessment or compliance audit to check your firm’s current compliance with the Data Protection Act and what you need to do to ensure compliance with the new provisions of the GDPR. The ICO have produced a useful infographic ’12 steps to take now’ and a self-assessment checklist which is available to download from their website. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
2. Data mapping/audit
Identify what data your firm holds, why, where it is held, who do you share it with and how secure is that data. A data mapping exercise will help your firm to maintain a central record of your processing activities in which the lawful processing conditions and fair processing elements are identified.
3. Update your policies and procedures
• What policies and procedures are in place for supplying information in response to a subject access request?
• What policies and procedures are in place for restricting, deleting and correcting personal data?
• What policies and procedures are in place for handling and reporting data breaches?
Your firm will need to review and update your policies and procedures to ensure that it covers all the rights an individual has under the new Regulations. The new GDPR requires firms to deal with subject access requests within 30 days and without charge and to report certain data breaches to the ICO within 72 hours.
4. Have a data declutter
De-cluttering or deleting data that is no longer required will help your firm keep a track of what data your firm holds and when individuals make a subject access request. Many firms are guilty of not complying with their data storage and destruction policy and end up retaining files and emails in their Outlook folders indefinitely. Take this opportunity to put your house in order and start the GDPR journey with a clean slate.
5. Data Collection Notices/Privacy Notices
Alongside your policies and procedures make sure that your Data Collection/Privacy Notices are also updated. Ensure that your terms and condition of business is updated to include a Data Collection notice which explains how your firm will collect and process data together with the individuals’ rights. Make sure that a copy is also included on your website for ease of access. Don’t forget that if you employ staff that they too are made aware of how your firm as employers will process their data!
6. Training of all staff
Where staff within your firm has access or handles personal data provide training to ensure the security of that data and how to deal with and report any data breaches.
7. Appoint a Data Protection Officer
GDPR requires a firm to formally appoint a Data Protection Officer (DPO) if your firm carries out certain processing activities. If your firm does not require a formal DPO to be appointed, consider appointing a Data Protection Officer in any event, to ensure that your firm complies with the provisions of GDPR, to receive and deal with subject access requests and to report data breaches to the ICO.
8. Direct Marketing and Consent
One of the biggest changes introduced under GDPR is around consent from individuals. Where consent is relied on by a firm to lawfully process data, firms are required to prove that consent to hold this data has been given. Consent requires a positive opt-in. Firms can no longer rely on pre-ticked boxes. Therefore, review your existing consent and identify whether it adheres to the requirements under GDPR. If not, then you will be required to obtain renewed consent.
9. Review your contracts with third parties
Are any of your processing activities carried out by third parties such as accountants, medical agencies etc? Ensure that your firm has written agreements in place which meet the new requirements under GDPR.
10. Don’t be afraid to seek professional advice and assistance
If you require advice and assistance on preparing your policies and procedures, training or template documents please contact Legal Compliance Consultants.