Every business, whether it is a UK or an EU company, will hold some kind of Personal Data (for its employees) which means they should follow the appropriate steps below, as a minimum for the GDPR.
- Understand Your Data - Know and understand what Personal Data your organisation collects, how it is processed, if it is made accessible without consent, if it sent to third parties, and ensure that your agreements with them ensure that they are identified as a data processor. If your data processors are outside of the EEA, you may need an additional contract to be able to legally end the Personal Data to that country and vendor.
- Create your data purpose(s) - If you already have a data purpose, then ensure that it is updated and appropriate for use for the GDPR. If not then you will need to create a data purpose, which states what data is collected, why it is collected, how it is processed, who and where (if outside of the EEA) it is processed, how long it will be retained for, and who to contact in case of a data protection query (your data protection officer).
- Ensure Content - Ensure that you are obtaining the Data Subject’s consent to use their personal data and that you are recording their consent(s) so that they can be demonstrated to the Data Subject or a Data Protection Authority in the case of a Subject Access Request, or a complaint. If you have a lot of personal data already that you have no record of consent for, then you may want to look at actively re-establishing consent, in some cases (such as in the provision of an active service) consent may be implied, but you may need to see additional help in the area.
- Support the data subjects rights - Assess your business processes and the functionality of your computer systems to be able to support the Data Subject’s rights within the tie frames dictated by the GDPR.
- Create an incident response plan - GDPR requires that following the discovery of a data breach or other incident involving personal data that the incident be dealt with in a way that ensures that the Data Protection Authority or the Data Subject can be informed as to the nature and scale of the breach, the action that has been taken, the potential impact on the Data Subjects, all within 72 hours of the discovery of the breach. This requires having an incident Response Plan that can be followed to ensure that your organisation does not have to establish the process whilst dealing with an incident.
Additional information resources:
- Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now
- Local Government Association guidance - providing various, easy to follow guidance on GDPR best practice
- ICO Checklist