Distilling GDPR: The top five things to remember
PUBLISHED: 05:30 25 May 2018 | UPDATED: 15:53 25 May 2018
This content is subject to copyright.
The day of the GDPR is upon us – but some may still be struggling with the leviathan task of achieving compliance.
David Higgins, director of cyber security consultancy 4ITSec, has given his five top tips for GDPR preparation.
– Establish what “personally identifiable data” you have
You also need to establish where the data came from, why you have it, where it is, who has access to it, who you share it with, whether it is protected and whether you still need it.
If you have personal data stored, you are the controller and are responsible for the data; if you pass it to a third party, for example a marketing firm, they are the processor. You are both liable under GDPR.
– Create internal processes and procedures to cover subject access requests (SARS)
A user has a number of rights under GDPR, including: to access the data you hold on them; to have data errors corrected; to have their data erased; to object to direct marketing; to stop data profiling and automated processing; and to move their data to another business.
They may also request to know why you are processing their data, how long will you keep their data for, and who else has been given their data. All requests need to be answered within 30 days, and all responses and actions need to be recorded so as to be “auditable and accountable”.
– A major part of GDPR is around consent, so remember these points when collecting personally identifiable information
Consent must be freely given, and must be specific to the task, informed and unambiguous – no more one-size-fits-all sign-up forms or pre-ticked boxes.
Requests for consent must be concise, transparent, intelligible, and in clear and plain language.
You must inform people that consent may be withdrawn, and inform them of data subject rights and their rights to complain to the DPA (Information Commissioners’ Office).
You must be able to demonstrate that consent was obtained lawfully (for auditability and accountability).
– Processing “high risk” data requires different paperwork
When you process “high risk” data (for example medical, sexual or religious) you must conduct data protection impact assessments (DPIAs), which will specify how this type of data needs to be stored.
– Companies must show data protection governance by law
You need to show you take data protection seriously; you could employ a data protection officer (DPO) to advise the business of its obligations, monitor company compliance and oversee staff training and enquiries.
– Create a process in case of a breach
If you suffer a breach or loss of personal data you must notify the Information Commissioner’s Office within 72 hours. You also need to notify each individual whose data has been compromised or lost – effectively, you will have to publicly shame your company.