With the General Data Protection Regulations (GDPR) coming into force on 25th May 2018, we take a look at the initial strides you can take in ensuring your data and IT systems will be fully compliant.
The changes in regulations may seem a little daunting but hopefully, as with everything, breaking them down into more manageable, smaller steps will ease any anxiety you may have.
1. Be Aware
Simply put, if your organisation handles personal data of any kind and operates within the EU, or indeed outside the EU but deals with individuals within the EU, the GDPR will impact on the way your business collects, processes and stores that personal data.
To confirm, the UK government has made it clear that the provisions of the GDPR will still apply after Brexit.
It is therefore very important that you and other key decision makers within your business are fully briefed on the law and understand the changes the business needs to make.
Your current privacy notices will need to be reviewed in line with the GDPR as individuals will need to be given more information about the data held, the purpose for which it is being processed, how long it will be held for and who else will see it.
According to the GDPR, you will need to inform individuals of their rights in regard to their data, and allow them to access, delete, freeze and correct inaccurate data. The Regulations also set out stricter conditions for obtaining the consent of individuals, whereby the onus is on the business to show consent has been freely given and is specific, informed and unambiguous.
In order to ensure your data and technology are compliant, you first need to know exactly what personal data you hold.
Under the GDPR, personal data includes not only that data we associate as being personal in nature, i.e. social security numbers, names, physical addresses and email addresses, but also data such as IP addresses, behavioural data, location data, biometric data, financial information and much more.
You then need to document where this data originates, who uses it and how, for how long it is required, who you share it with and where the data resides. It is also important to note at this point if any data goes outside the European Economic Area (EEA).
This process could take a while and will involve working with all departments to understand what data they use, store and transact.
We should note here that measures should be taken to minimise data collected going forward, ensure it is processed ONLY for the specific purpose for which it was obtained; and ensure the data is retained for no longer than strictly necessary.
Best of luck with these first initial stages of preparing for GDPR and rest assured that we at VCI Systems will also be going through these steps….after all, failing to prepare is preparing to fail and it’s always better to be safe than sorry!
Look out for our next article on GDPR coming soon, in which we will discuss how you can protect this data.
For any technical assistance, please contact us on 0118 9767111 or email firstname.lastname@example.org.