10 tips for getting ready for GDPR
Firstly... what is GDPR?
It's the General Data Protection Regulation and comes in to play on May 25th 2018. I'm not going to explain it all just now but I would definitely suggest an internet search on it. Get yourself up to date on its impact to you and your business. This post is a decent place to start. What does GDPR mean for my business?
I'm just going to list 10 things that you should do RIGHT NOW!
1: Technically the bit that I have just advised you on above. Read about it. Find out more. Find out who would be responsible. Who are the key decision makers in your organisation? Whoever that person is, has to be aware of the impact that it is likely to have on you and your organisation.
2: Arrange a Data Information Audit. You should detail, or be aware of, what personal data you have, where you got it from and who you share it with.
3: Do you have a Privacy Notice? If not you should be thinking about getting one written up right away. Your privacy notice should consider the following; What information is being collected? Who is collecting it? How is it being collected? Why is it being collected? How will it be used? Who will you be sharing it with? ... to mention but a few.
4: Consider how you will delete an individual's details if they fail to 'opt-in'. Saying that you 'forgot you had it' will not be accepted as a valid 'excuse'.
5: You will need to review how you seek, record and manage consent. Have a look at your existing consent procedures and see if they tie in with the upcoming GDPR standards.
6: If you are processing any data at all you will need to consider how you verify individuals' ages and whether you have to obtain any parental consent
7: What happens if you have a data breach? What procedures do you have in place to detect, report, investigate and rectify a personal data breach?
8: Visit the Information Commissioner's Office website and familiarise yourself with their code of practice on Privacy Impact Assessments.
9: Consider the appointment of a designated Data Protection Compliance Officer ... or similar. That might just be you if you are a small company like myself. But in principle, it's a good idea to 'designate' a person : )
10: If you or your organisation operates in more than one EU member state, you will need to find out your lead data protection supervisory authority and detail it. The ICO website will guide you on this.
Riveting stuff eh?
Don't ignore this and end up running about like made on the 17th of May next year. make a start this side of the year and I am sure that the start of your 2018 will be less painful.