GDPR: Best practices for compliance

Image

It’s now less than a month until the EU’s new General Data Protection Regulation comes into force, governing the data that all organisations hold. It goes without saying that all organisations should be training their managers and executives on the GDPR and how it impacts all decisions related to treatment of personal data, as well as evaluating all of their systems, security practices, and related documentation. The ICO have published a useful 12 step guide for those still seeking guidance.

With preparations well underway, is your business upholding best practice methods?

Preparation

  • Document all data processing activities that involve the collection, treatment, and safeguarding of personal data
  • Build and improve processes and features to ensure you can quickly and effectively address any requests from customers who wish to exercise their rights, e.g. for Right to be Forgotten, Right of Access, etc.
  • Re-evaluate all sub-processors to ensure they have adequate security measures in place for the safeguarding of personal data processed by them and ensure contracts with them require them to also abide by their requirements as sub-processors under the GDPR

Best practice methods

Consent: any business that handles personal data will have to seek clear consent from customers for use of their data – which applies to data gathered after the regulation and data that is already held. This means that all existing data will have to be audited to make sure it complies with the new regulation.

Disclosure: the current draft of the regulation requires organisations worldwide to notify EU citizen of a data breach within 72 hours.

Right to be forgotten: businesses handling the data of EU citizens will have to erase data without undue delay if any individual asks them to do. Consequently, organisations should be thinking about how to implement processes for responding to ‘right to be forgotten’ requests in a timely fashion. 

Penalties for non-compliance: fines can reach €20m, or 4% of annual global turnover, depending on the seriousness of the breach.

  Tags:  |  By  |     Thursday, April 26, 2018