The term ‘GDPR’ has become like that annoying hit record that stayed at number 1 for 13 weeks! We’re all fed up of the constant inbox filling emails about GDPR seminars and meetings to the point where some of us may have pushed it way under our bed where it looms like a night monster waiting to attack on the 25th May 2018.
Well, we’re here to tell you that it doesn’t need to be scary. Many elements of the new Data Protection regulation are actually the same as before and the new bits improve our rights and add some extra controls to ensure organisations handle our data how we would expect them to, without annoying us or putting our privacy at risk.
Firstly don’t believe the ‘buy this tool to be compliant’, ‘fines will be at the maximum’, ‘ICO will actively be trying to catch people out’ headlines – that’s just scaremongering. Instead, it’s the simple things that will help you.
It’s important to remember data protection affects us all. Just think about all the places you’ve had to share your personal details – name, address, telephone numbers and even bank details. Spend a moment writing a list of all the organisations that have some form of personal data about you. It’s scarily big, isn’t it! Now think about how you’d want those organisations to use your data. Putting yourself in the position of the ‘data subject’ will help you understand what your customers or clients may expect from you and help you to understand their concerns.
With this insight you’re in a great position to tame that monster, by taking the following steps:
How and why do you collect it? How do you use it and process it? What systems do you use and who do you need to share it with? This can be done by drawing out process flows (data mapping) from point of data collection to disposal, detailing all actions in between. (No you don’t really need thatautomated discovery tool)
What are you relying on to be able to process the personal or special category data, such as legal requirement, contract, consent etc.? Top tip: choose consent only if others are not appropriate.
Be upfront about what you are going to do with the data you hold. Have you informed individuals clearly and simply what their data will be used for, how long it will be retained, who it will be shared with, what their rights are and how to raise concerns or exercise their rights?
Yes, I do mean everything. Put all your preparations in one folder or a specific place, to ensure you can comply with the Accountability Principle which requires organisations to be able to demonstrate how they comply with the new Data Protection regulation.
If you have a breach the ICO will always ask you
Being prepared is your best defence to protect your organisation’s reputation and future.
Our Cyber team have prepared a helpful flow chart.
Hopefully now you can sleep soundly with that monster tamed, or at least with a strategy and practical plan for dealing with it.
This article was originally published here.