This document discusses the next steps for complying with the General Data Protection Regulation (GDPR). It outlines 6 key principles of data protection under GDPR and recommends completing a data audit and gap analysis to determine what data is collected, how it is stored and accessed, and where compliance gaps exist. Additional next steps include documenting policies around data protection, privacy notices, consent procedures, and data subject rights, as well as establishing agreements for third party data processing and a data breach procedure. Regular review and registration with the Information Commissioner's Office are also advised.
2. 6 PRINCIPLES OF DATA
PROTECTION
1. Lawfulness, fairness, transparency
2. Purpose Limitation
3. Data Minimisation
4. Accuracy
5. Storage Limitation
6. Integrity and confidentiality
3. NEXT STEPS….
DPO or not ?
Carry out a Data Audit and Document it (Data Map)
• Controller or Processor ?
• What do I have ?
• How do I get it ?
• Where do I store it ?
• Locally (digital), Locally (Physical) or Cloud digital
• Who has access to it ?
• How secure is it ?
NOTE: GDPR applies to customers AND suppliers AND
Employees
Complete a Gap Analysis Spreadsheet
• It looks complex and difficult but its not !
• This shows your compliance Gaps
• Allows you to determine which ones you address first
• Written form of Data Audit covering most Articles of
GDPR – including location, Legal Basis etc.
4. NEXT STEPS….
Documentation
1. Data Protection Policy Statement
2. Information Security Policy
3. Privacy Notice
4. Consent - Notify existing customers of your GDPR program
and ask for positive consent to store and use their data –
strictly for the purposes of your business with them AND
tell them the rights they have
5. Give your customers an easy to follow form/procedure for
Subject Access requests
• What data you have
• Correcting errors in that data
• Deleting that data
• Restriction of processing
• Data Portability
• The right to object
• The right to appropriate decision making
6. Third Party Data Processing agreements – signed, legal and
binding
7. Data Breach Procedure
5. AND FINALLY….
• Register with the ICO and advise clients
of this.
• Regularly monitor and review policy,
procedures and published
documentation to ensure they remain
effective and relevant
No DPO but all staff must be aware of their obligations to GDPR and this must be recorded – coulde be on the GAP Analysis – see later
Consent
Contractual
Legal Obligation
Vital Interests
Public Interest
Legitimate Interest
Documentation
Data Protection Policy Statement
setting out your approach to GDPR and the security of information in your business.
Information Security Policy
stating that you will ensure that storage and transmission of data is appropriately secure.
While the ICO and larger organisations treat these as 2 separate topics, smaller companies could make “Information Security” a sub section of your Data Protection Policy Statement
Privacy Notice for clients
who you are, why you’re collecting data (e.g. to fulfil a contractual obligation), to confirm what it’s being used for , what you’ll do with it, the safeguards you have in place and setting out their rights a regards restriction of use etc. Where websites are used for the gathering of information these privacy statements will need to cover the use of cookies etc.
Subject access requests
Easy to use procedure (and maybe a form) for clients to contact you asking about their rights:-
What data you have
Correcting that data
Deleting that data
Restriction of processing
Data Portability
The right to object to certain types of processing
The right to restrict decision making based on automated processing
Documentation
Data Protection Policy Statement
setting out your approach to GDPR and the security of information in your business.
Information Security Policy
stating that you will ensure that storage and transmission of data is appropriately secure.
While the ICO and larger organisations treat these as 2 separate topics, smaller companies could make “Information Security” a sub section of your Data Protection Policy Statement
Privacy Notice for clients
who you are, why you’re collecting data (e.g. to fulfil a contractual obligation), to confirm what it’s being used for , what you’ll do with it, the safeguards you have in place and setting out their rights a regards restriction of use etc. Where websites are used for the gathering of information these privacy statements will need to cover the use of cookies etc.
Subject access requests
Easy to use procedure (and maybe a form) for clients to contact you asking about their rights:-
What data you have
Correcting that data
Deleting that data
Restriction of processing
Data Portability
The right to object to certain types of processing
The right to restrict decision making based on automated processing
Latest GDPR news
19/06/2017: 23% of small UK firms haven't started preparations for GDPR
Nearly a quarter of small UK businesses still haven't started preparing for data protection rules that are less than a year away, according to a survey.