Search

Distilling GDPR: The top five things to remember

PUBLISHED: 05:30 25 May 2018 | UPDATED: 15:53 25 May 2018

GDPR is coming - how prepared is your business? Picture: Getty Images/iStockphoto.

GDPR is coming - how prepared is your business? Picture: Getty Images/iStockphoto.

This content is subject to copyright.

The day of the GDPR is upon us – but some may still be struggling with the leviathan task of achieving compliance.

Internet security specialist David Higgins. 

Picture: ArchantInternet security specialist David Higgins. Picture: Archant

David Higgins, director of cyber security consultancy 4ITSec, has given his five top tips for GDPR preparation.

– Establish what “personally identifiable data” you have

You also need to establish where the data came from, why you have it, where it is, who has access to it, who you share it with, whether it is protected and whether you still need it.

If you have personal data stored, you are the controller and are responsible for the data; if you pass it to a third party, for example a marketing firm, they are the processor. You are both liable under GDPR.

– Create internal processes and procedures to cover subject access requests (SARS)

A user has a number of rights under GDPR, including: to access the data you hold on them; to have data errors corrected; to have their data erased; to object to direct marketing; to stop data profiling and automated processing; and to move their data to another business.

They may also request to know why you are processing their data, how long will you keep their data for, and who else has been given their data. All requests need to be answered within 30 days, and all responses and actions need to be recorded so as to be “auditable and accountable”.

– A major part of GDPR is around consent, so remember these points when collecting personally identifiable information

Consent must be freely given, and must be specific to the task, informed and unambiguous – no more one-size-fits-all sign-up forms or pre-ticked boxes.

Requests for consent must be concise, transparent, intelligible, and in clear and plain language.

You must inform people that consent may be withdrawn, and inform them of data subject rights and their rights to complain to the DPA (Information Commissioners’ Office).

You must be able to demonstrate that consent was obtained lawfully (for auditability and accountability).

– Processing “high risk” data requires different paperwork

When you process “high risk” data (for example medical, sexual or religious) you must conduct data protection impact assessments (DPIAs), which will specify how this type of data needs to be stored.

– Companies must show data protection governance by law

You need to show you take data protection seriously; you could employ a data protection officer (DPO) to advise the business of its obligations, monitor company compliance and oversee staff training and enquiries.

– Create a process in case of a breach

If you suffer a breach or loss of personal data you must notify the Information Commissioner’s Office within 72 hours. You also need to notify each individual whose data has been compromised or lost – effectively, you will have to publicly shame your company.

Related articles

Search hundreds of local jobs at Jobs24

Management Jobs

Show Job Lists

Newsletter Sign Up

Sign up to the following newsletters:

Sign up to receive our regular email newsletter

Our Privacy Policy

Insight

Dan Evans, a partner at Cozens-Hardy solicitors, considers whether Overage is a sensible option or an unnecessary complication.

At this time of year, many of us throw caution to the wind so we can ensure our loved ones have a good time over Christmas.

Women in Business

cover

Enjoy the
Women in Business
digital edition

Read

Business East

cover

Enjoy the
Business East
digital edition

Read

The Best Employers

cover

Enjoy the
Best Employers
digital edition

Read

Celebrating Success

cover

Enjoy the
Celebrating Success
digital edition

Read

B2B Exhibition

cover

Enjoy the
B2B Exhibition
digital edition

Read

Green 100

cover

Enjoy the Green 100
digital edition

Read

Meet the Team

Mark Shields

Business Editor

|

Chris Hill

Agricultural and Farming Editor

|

Business Most Read

Awards

Norfolk Future 50 EDP Business Awards Green 100