GDPR. The four letters which will change the way organisations handle personal information.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, building upon the current Data Protection Act 1998. It requires you to be truly accountable for your management of personal data. It also requires genuine transparency with individuals and for you to make informed, risk-based decisions that account for your needs and the potential impact on individuals.
First, you should assess your current position: you may have policies, procedures and practice that already meet the updated requirements of GDPR in some areas. An initial assessment will give you a clear scope of work required to improve: both those areas that need minor updates, and those which need more work and might take more time.
To help you prepare for 25 May, our Trusted Supplier Protecture has broken GDPR down into three sections: accountability, transparency and security.
The GDPR requires you to be truly accountable for the management of personal data. Do you need to appoint a Data Protection Officer (DPO)? Do you have GDPR-ready policies and procedures? Who needs training and to be aware of their responsibilities under GDPR? True accountability creates a solid foundation for your data protection journey to GDPR maturity.
A key part of accountability is the Record of Processing Activity (ROPA). Creating your ROPA will give your organisation an overview of why it processes personal data the lawful basis, and the Data Subjects you engage with. It will underpin your approach to risk-based decision making and assist you in meeting individuals’ rights and your transparency obligations.
It is crucial you provide more information to individuals about your handling of their personal data.
To do this, you need to know a great deal about the personal information you are responsible for. The first step to achieve this is through a data mapping exercise. This should establish every point at which your organisation collects personal data. Next, you should document where that data is stored, whether it be in a CRM system, network drive or filing cabinet. Finally, record which internal and (if any) external organisations process the data.
Next, you need to define a privacy information strategy. This should outline how you will provide the additional privacy information required by the GDPR, and do so in a way this is accessible and understood by the different types of individuals you engage with.
Finally, you should assess the relationships you have with other organisations – whether these are formal contractual obligations, data sharing arrangements, or other partnerships – and prioritise for review those that involve the greatest volume and/or sensitivity of personal data.
Once both accountability and transparency have been addressed, you will be able to look at security. You need to assess your data stores (CRM, filing cabinet, etc) and consider the security measures in place.
There are three situations that need to be considered, when data is:
Assessing your current security situation – based on your informed understanding of which stores of data, in which states, have the greatest value, and pose the greatest risk to your organisation – will enable you to quickly establish any significant areas of risk and start taking actions to address them.
This article was originally published here.