What do I need to do to comply with GDPR?
Back in 2018, the Data Protection Act (DPA) was replaced with the General Data Protection Regulation (GDPR), a new system that means the regulations around storing and using personal data are the same across all European countries.
Generally, if your business was DPA-compliant, then you will already comply with GDPR, but if you’re a new business or are unsure of how GDPR works, read on to find out more.
How to make my business GDPR-compliant
There are 11 processes and procedures that should be followed to ensure you’re GDPR compliant. You can find each of the 11 steps below, as well as information on what you can do to adhere to them.
1. Ensure all key decision makers are aware of GDPR
The first step is to ensure that all key members of the business understand what GDPR means, how it will be enforced and the potential risks associated with noncompliance. This is to ensure that GDPR is adhered to in the correct way and by each member of the business, where applicable. You can do this through a GDPR handbook or by pointing out useful information and guides online.
2. Document all the data you hold
For GDPR purposes, it’s important that you explicitly document what data you have, where it is stored, who has access to it, who is responsible for it and where it came from. This can be quite a hefty task, particularly if you’re starting from scratch, so where do you begin?
First, you can access exactly what data you hold, and potentially categorise it. It could be categorised into sensitive and personal data, for instance, or by type, such as employee information, client information, etc.
Then, you need to keep records of where this data came from and keep track of when it was accessed, amended or requested. This is sometimes known as an information or data-mapping audit. How you record this information is up to you - it’s just important that you can immediately provide this data should a GDPR inspector ask for it.
3. Provide a reason for why you hold the data
Holding and recording the information you have is a great start, but it’s also imperative that you provide a reason as to why you need to gather this information. This is sometimes known as data accountability.
Whether the data is stored for internal staff purposes, for marketing efforts or to effectively track customer orders, your records must show this. You must also update the privacy notice on your website to tell site visitors clearly what you use the data for and how long you can legally store it.
4. Cover the individuals’ rights
As part of GDPR, you must ensure that you cover the eight individuals’ rights. These are:
- The right to be informed - every individual has the right to be informed of what data is stored about them and how it is used
- The right of access - every individual has the right to request access to the data held about them, also known as a subject access request
- The right to rectification - every individual has the right to have inaccurate information rectified
- The right to erasure - every individual has the right to have personal data erased
- The right to restrict processing - every individual has the right to request that their personal data is restricted or suppressed
- The right to data portability - every individual has the right to obtain and use their personal data for their own purposes
- The right to object - every individual has the right to object to the processing of personal data in some circumstances
- Rights in relation to automated decision making and profiling - every individual is protected against automated individual decision making and profiling.
To ensure you cover these aspects, you should review your data processes and check that the above can be achieved.
5. Develop a process for data requests
One of the rights mentioned above allows individuals to make a subject access request, and this must be observed. It’s important that you have a process in place so that when a request does come in, you’re able to handle it in an efficient manner. You must provide them with the data they require within 30 days, or, should you wish to refuse a request, demonstrate the reasons for the refusal.
As part of your procedures, it’s a good idea to keep track of what records were accessed and when, as well as a log of any records that have been erased or accessed by the owner.
6. Review how you manage consent
Consent is almost definitely required when you ask for someone’s personal data, and it’s important that you consider how you request, record and manage consent. If consent you’ve taken in the past doesn’t meet the current regulations, you will need to request this again to comply.
7. Consider processes for children’s data
Unlike DPA, GDPR has specific guidelines about the data you can hold on children. This means it’s important to review your processes if you hold data on people younger than 13 years of age, and you will still need consent from their parents or guardians.
8. Organise processes for data breaches
In most instances, data breaches happen by accident and not by members of your own business. The most common form of data breach is hacking, something that you cannot completely control. You can, however, put security measures in place to keep customers’ data as safe as possible and have processes in place should a breach occur.
You and your staff should understand what a data breach is, how to manage a breach and how to investigate what happened. In some instances, you may need to report the breach to the Information Commissioner’s Office (ICO), and you should do so up to 72 hours* after the breach happened. Individuals will need to be notified that their data was accessed.
To protect yourself from the costs associated with data breaches, such as data restoration, random demands, loss of profit, etc., you should consider taking out cyber insurance as an additional security measure. If the worst happens and you are victim to a cyber crime, repairing the damage could cost your company thousands of pounds. With cyber insurance, this financial burden will be covered.
9. Read up on the ICO’s ‘Privacy Impact Assessments’
The ICO provides a comprehensive code of practice on data protection impact assessments (DPIA). It’s really important that you and any key employees read this guide to ensure you understand DPIA, what your business must do, and more.
10. Appoint a data protection officer
If you’re a public authority or body, or are involved in the large-scale processing of data, you should appoint a data protection officer. This person’s role will be to ensure that GDPR is adhered to, that there are strict processes and procedures in place (as discussed above) and to communicate with the ICO when necessary. You may wish to appoint someone who already works for the business, such as a HR assistant, or you can hire a new officer.
11. Follow international procedures
If your business is run across multiple countries or continents, you must review how the data is shared between each location. This review can be done internally or completed with the relevant authority to that country. Generally, GDPR applies to European countries, so you may only need to review international procedures if your business also operates outside of Europe, such as Australia or the US.
Following GDPR may be easy or difficult, depending on what it is your business does and how much data you hold. However, for any information, it’s best to look on the ICO website, as they have tons of guides and resources to help you. You can also use our blog, Help and Guidance for Professionals, to find more information on a whole range of topics, including IR35, marketing advice, legal tips and more.
*72-hour timeframe for reporting a breach correct as of December 2021. Source – www.ico.org.uk
Need some help?
0800 640 6600
Mon - Fri 08:30 - 17:30
local rate and mobile friendlySupport