How your business can start preparing for data legislation changes

With the new General Data Protection Regulation (GDPR) becoming effective in May 2018, it's important that businesses start to prepare for this change now. We've put together some handy tips on how companies can start the process today to help you be compliant when the change comes into force.*

What is GDPR and why is it a big deal?

Simply put, GDPR is the European Union (EU) way of “harmonising” data privacy laws across Europe to give individuals a greater sense of control over who uses their data and where their data is stored.

Note the UK will need to comply with the legislation whatever the situation regarding our EU membership.

Since Europe’s data protection laws came into play in the 1990’s, the volume of data businesses keep on record has increased significantly. Therefore the EU felt the rules needed to be updated and these include numerous new requirements for companies.

For example, the new legislation gives individuals the following rights:

Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Right not to be subject to automated decision making and profiling.

Tip 1: Delegate a specific team

Our first tip is to put together a specific GDPR team. Your chosen team should be made up of key players in your organisation who understand the processes and procedures of the business and have the authority to make change if needed. This could consist of your HR Manager, the CEO or a Director, and it could also be worth outsourcing an independent Data Protection Officer to be responsible for data protection compliance. These people will be responsible for mapping out data and processing across the business. They will need to work with your operations front-of-house teams, marketing, legal, payroll & accounts and importantly, your IT departments.

Tip 2: Research the new law inside and out

Do your research on the legislation and take some time to really get your head around it in relation to your sector. It is likely that there are sector-specific governing bodies and associations holding seminars on the subject, so get booked on-to them and work with them to make sure you’re compliant. If your business isn’t compliant, you could pay out a hefty fine of 4% of your global turnover (or €20 million). A good place to start with your digging is on ico.org.uk where there is a step by step guide to data protection.

Tip 3: Organise the data you already have

Document every bit of data throughout your organisation. From the source of the information (where you get it from), how and where you store it, and who you share it with.

Tip 4: Review your systems security

Make sure your data is secure; check what security measure are in place, for example, system security, people access, physical access or foreign threat. Create and improve security features to minimise the risks.

Tip 5: Make your employees aware

Ensure everyone in your business stays in the loop and knows about the ongoing changes that are happening with GDPR within your business. Many people will not know about the changes and why it is vital to do things by the book, so it may be worth setting up and organising some training for your employees/colleagues. By ensuring everyone is “in the know”, there’s less chance that something could go wrong and data protection could be breached.

Tip 6: Update policies and procedures

Last but not least, ensure all your company policies and procedures are reviewed and updated where necessary so that your compliance is at an all-time high. This could be where you use your Data Protection Officer or independent consultant. Any updates should be circulated around your business and everyone should take the time to read through so that they are clear on all things GDPR.

*Please note that this blog does in no way constitute legal advice. This is simply guidance on where to find information and how to start thinking about your GDPR plan.