GDPR The beast from Europe
No doubt you have all heard more than enough about the impending changes that these regulations are due to bring to all businesses. Much like forecasts of snow we are left wondering if it is going to be a fuss about nothing or whether it will be something that brings normality to a grinding halt.
A well known commentator in the legal world described this process as a journey rather than a destination. As businesses develop and grow, so will the need to review data protection issues. There is no doubt that many organisations are not ready but rather than ostrich like sticking heads in the sand it is not too late to make a start. After all those who say they were ready months ago have by no means finished their journey.
Rather than focus on the headline grabbing fines and penalties we are concentrating on what you can do now to make a start or check that the start you have made is on the right track.
- Give someone responsibility for your journey. Although you will not be able to blame them for any deficiencies it will mean that you can avoid endless round table meetings which resolve nothing. Give them senior leadership support and the resources ( time is a key one here) to ascertain what is needed and how you can build this into your business rather than stop the business from operating.
- Have some thought as to what information you have and where it is kept and who it might be shared with.
- Review and update Privacy notices. These are probably hidden away somewhere on your website. Look around at what others have but be careful about copying them due to copyright issues. See if any of your trade organisations have a template for you but make sure it makes sense from your organisation’s viewpoint.
- Consent, do you need it and if so how will you capture records of it? Remember consent is not the only way to justify collecting and using data.
- Check your suppliers are looking after your data. Review and update any contractual terms.
- If you use automated decision making you need to check the new provisions regarding this.
- Update any internal Data Protection policy.
- Make sure you and your staff know what to do in the event of a data breach.
- Make sure you and your staff know what to do when a data subject makes a request to access or erase their data.
There are many guidelines and best practice notes behind these bullet points but the first step is to make a start. Even if you are not going to be ready by the 25th May the Information Commissioner’s Office will appreciate those that are making genuine and real efforts to put their business in order.