The GDPR approach in simple terms

There is so much talk about the GDPR (General Data Protection Regulations) that come into effect on 25th May 2018, I am setting out my simple approach:

  1. Appoint a Privacy Lead.
  2. Make sure you have effective ongoing communications in place – internally with employees and externally with customers/clients and suppliers.
  3. To meet the requirements of the core principles of the GDPR be open, honest and transparent with your customers/clients about what data you are collecting, as well as why and how you are using that data.
  4. Ensure you have consent from your customers/clients to process their data.
  5. Audit your data and update your privacy policies (personnel and customers/clients), as well as identify relevant technology to help fill in the gaps.
  6. When auditing assess the data you are holding, i.e.,
  • What kind of data are you storing?
  • Where does the data reside?
  • What is the format of the data?
  • Can you anonymise the data?
  • Is it centralised or does it live on multiple devices?
  • Why are you storing the data?
  • How did you get the data?
  • Do you need to keep storing the data and can it be deleted or changed?
  • How do users access the data? Is access encrypted and secured?
  • Is the data exposed to third parties?

Remember:

  • Personal data is “any information relating to an identified or identifiable natural person”[1].
  • Ultimately the increased protection of EU’s citizens and their rights is the end goal of GDPR.
  • A main difference between pre- and post- GDPR is that your customers/clients will now have the ability to request their data is completely erased.
  • Fines of up to €20 million or 4% of global revenue are a possibility for those who are deemed to be negligent.
  • The Data Protection Commission’s “The GDPR and You” is a good preparation tool.

[1] The EU definition of “personal data” is set out in the Data Protection Directive 95/46/EC

 

Posted in Articles of interest.