Are you and your staff GDPR Compliant?

When the EU’s GDPR (General Data Protection Regulation) was introduced in May 2018, it represented a big step in the data privacy protection legislation in the UK.

For thousands of businesses GDPR highlights a very daunting compliance challenge around how they handle and report on data. Organisations that fail to comply with this regulation can face fines of up to £17 million or four percent of global revenue, whichever is higher.


So what is the coffee break summary of GDPR?

We could go on for page after page about what GDPR is, and there are so many blogs and articles on the full detail to help you, however to really cut to the main points here is our coffee break summary :

  1. This is overall about good data management practices and of data protection by design.
  2. As mentioned above their can be big penalties for failing to comply.
  3. You do not have to be based in EU for it to apply to you.
  4. GDPR puts the person/company in charge of their data, and the onus on the user of the data, to ensure that they explicitly have the right to use and store the data.
  5. Explicit Consent will need to be attained from individuals around the processing of their data, and not hidden in long and illegible terms and conditions.
  6. Personal data definition has been expanded to include things like IP Address and Mobil device ID.
  7. Data processing registries will be mandatory - so organisations will need to keep record of personal data processing activities and have a Data Protection Officer assigned.
  8. Data breaches will have to be reported within 72 hours

And what do you need to do?

  1. Identify where all your electronic data resides, think about laptops, PCs, servers, cloud storage platforms, marketing systems, website and USB sticks. Remember this is not just the 'Approved' IT systems but the Shadow IT and end user computing solutions, some you might not even know about yet.
  2. Review and  Assign or identify owners for the GDPR roles (These may be already known and just need review);
    1. Data Protection Officer,
    2.  Data Processor,
    3. Data Controllers
  3. Update your terms and conditions so they’re in plain English – without legalese or jargon.
  4. For marketing purposes, change your data usage on your website with opt-ins to ensure that visitors give their consent before you collect their data.
  5. Audit all the data you currently store, understand whether you need it or whether it should be deleted.
  6. Once you know what data you have and how long you should keep it. Set up processes to make sure you are dealing with it properly and consistently. This can be an update to your existing Data protection plan / policy or the creation of a new one.
  7. Set up a process for how to deal with the situation if someone should ask for their data.
  8. All partner or third parties you work with need to be GDPR compliant too, so make sure you assess these. Remember, if you hold your data in the cloud this needs to be thought about as well.
  9. Train your staff on the changes and new Policies.
  10. Last but not least - write down your plan and approach to implementing this so that you can demonstrated your action plan if challenged and if you aren't fully compliant by the May deadline.

Useful Links