The 12 steps to GDPR compliance
The 12 steps you can take to begin preparing now for the GDPR.
1. Ensure that decision makers are aware that the law is going to change and that they appreciate the likely impact of this.
2. Understand what personal data you hold, where it originated and who it is shared with. An information audit may be needed.
3. Put in place policies that control who you share personal information with and that such changes comply with GDPR.
4. Ensure that you have policies to cover all the rights that individuals have and personal data can be deleted.
5. At the same time, establish procedures that enable you to answer requests for information according to the new timescales.
6. Understand why you are processing data, document what you are doing and why. Data processors will have more responsibility under the new rules.
7. Consent is the key notion. You must ensure that you have the consent to hold data and use it. As a processor you need to be sure that the data controller has this obtained correct consent to use personal data.
8. If dealing with personal data around children, parental or guardian consent will be needed - not so likely for print businesses.
9. You need to have clear procedures of what to do in the event of a data breach. Individuals and the authorities may need to be notified in appropriate timescales.
10. Understand the work that the Information Commissioner's Office has produced on Personal Impact Assessments and how these should be implemented inside the organisation.
11. A Data Protection Officer will be needed as the custodian of all GDPR related activity, ensuring compliance and with the authority to take decisions around personal data.
12. Understand when working internationally where the ultimate data supervisory authority resides. It may not be in the UK if the customer is based outside this country.
The precise definitions of all roles and statements have still to be worked out or published. These will be issued via the www.ico.org.uk website.
Contracts may need reviewing to cover the handling of personal information and responsibility for that information.
CDi through the BPIF is providing companies with GDPR support through workshops and specialist services - click here for details.