10 steps to GDPR compliance

GDPR will affect everyone in the UK – especially if you process, control or hold data.  

It’s rocked the boat in a big way. GDPR has changed the definition of personal data in the digital age, and brought new policies in place to regulate how companies gather, hold and process data. The GDPR principles are very different to our current data protection laws, so it’ll take careful consideration and planning to get compliant.  

GDPR comes into force on May 25th 2018, so now’s the time to get started. Follow these 10 steps to make sure you’re GDPR-ready when the time comes.  

1. READ ALL ABOUT IT  

There’s loads of information online about GDPR – from the new definition of personal data to how it will affect the sector. You’ll need buy-in from senior management as well as the rest of your staff, so make sure training is company wide.  

2. BE ACCOUNTABLE 

Under GDPR, you’re accountable for all data your company holds. Make an inventory stating why you hold that data, why you need it and if it’s stored in a safe manner.  

3. PERSONAL PRIVACY CHANGES 

Data subjects have the right to data protection, and this protection has changed a little under GDPR:  

  • The right to be informed 
  • The right to rectification 
  • The right to erasure 
  • The right to restrict processing  
  • The right to data portability 
  • The right to object 
  • The right to access 

If you’re a data controller, you’ll have to fulfil these rights or make sure your data processor can.  

4. SHARE YOUR POLICIES 

GDPR affects everyone and it’s your responsibility to share your data policies with customers, users and staff.  

5. CHECK LEGAL CONSENT 

GDPR has tougher rules when it comes to the legal collection of data. You’ll probably need to update your policies to make sure you gather and process data legally.  

6. ACCESS REQUESTS  

Under GDPR, all access requests must be dealt with within 1 month, so make a plan for how you’ll handle requests in the new timescale.  

7. CUSTOMER CONSENT  

To process a person’s data, you’ll now need explicit consent. You may need to review how you seek, obtain and record consent, and see if you need to make any changes under GDPR. 

8. CHILDREN’S DATA  

GDPR states that children cannot give consent for their data to be processed – but the age of consent is changing in different countries. You’ll need to know the age of consent in the countries you operate in and make sure you don’t seek consent from anyone under that age.  

9. APPOINT AN OFFICER 

Appoint a data protection officer to oversee the changes in your business. It needs to be someone with the knowledge, support and authority to do the job well.  

10. PLAN FOR BREACHES 

One of the biggest challenges GDPR presents is its data breach requirements. Breaches must be reported within 72 hours, so you’ll need procedures in place to detect, report and investigate a breach.  

 

This is all pretty serious stuff – and if you don’t comply, you could face fines of up to €20 million or 4% of annual turnover. To see what we’ve done to prepare for GDPR, download our FAQs. It explains exactly how OneFile complies with GDPR and what it means for our customers, users and partners.  

Download guide

 

We’ve also created 2 checklists – 1 for data controllers and 1 for data processors – to help you get ready for GDPR. 

Get data controller checklist

Get data processor checklist

Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.  

 

Find out more about OneFile’s learning software, sign up to our free webinars.  

For more articles and updates follow OneFileUK on TwitterFacebook and LinkedIn