10 steps to GDPR compliance
GDPR will affect everyone in the UK – especially if you process, control or hold data.
It's rocked the boat in a big way. GDPR has changed the definition of personal data in the digital age, and brought new policies in place to regulate how companies gather, hold and process data. The GDPR principles are very different to our current data protection laws, so it'll take careful consideration and planning to get compliant.
GDPR comes into force on May 25th 2018, so now's the time to get started. Follow these 10 steps to make sure you're GDPR-ready when the time comes.
1. Read all about it
There's loads of information online about GDPR – from the new definition of personal data to how it will affect the sector. You'll need buy-in from senior management as well as the rest of your staff, so make sure training is company wide.
2. Be accountable
Under GDPR, you're accountable for all data your company holds. Make an inventory stating why you hold that data, why you need it and if it's stored in a safe manner.
3. Personal privacy changes
Data subjects have the right to data protection, and this protection has changed a little under GDPR:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
If you're a data controller, you'll have to fulfil these rights or make sure your data processor can.
4. Share your policies
GDPR affects everyone and it's your responsibility to share your data policies with customers, users and staff.
5. Check legal consent
GDPR has tougher rules when it comes to the legal collection of data. You'll probably need to update your policies to make sure you gather and process data legally.
6. Access requests
Under GDPR, all access requests must be dealt with within 1 month, so make a plan for how you'll handle requests in the new timescale.
7. Customer consent
To process a person's data, you'll now need explicit consent. You may need to review how you seek, obtain and record consent, and see if you need to make any changes under GDPR.
8. Children's data
GDPR states that children cannot give consent for their data to be processed – but the age of consent is changing in different countries. You'll need to know the age of consent in the countries you operate in and make sure you don't seek consent from anyone under that age.
9. Appoint an officer
Appoint a data protection officer to oversee the changes in your business. It needs to be someone with the knowledge, support and authority to do the job well.
10. Plan for breaches
One of the biggest challenges GDPR presents is its data breach requirements. Breaches must be reported within 72 hours, so you'll need procedures in place to detect, report and investigate a breach.
This is all pretty serious stuff – and if you don't comply, you could face fines of up to €20 million or 4% of annual turnover. To see what we've done to prepare for GDPR, download our FAQs. It explains exactly how OneFile complies with GDPR and what it means for our customers, users and partners.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.
This article includes research and opinion sourced by OneFile at the time of publication. Things may have changed since then,
so this research is to be used at the reader's discretion. OneFile is not liable for any action taken based on this research.