Five questions to ask when starting a GDPR Compliance Project
1) Do you understand how your business uses data?
You need to conduct a data use and security. Can you map answers to the following questions:
- What types of personal data do you use?
- Do you hold sensitive data such as health information?
- What types of processing do you undertake?
- Do you make any decisions based on automated processing or profiling of individuals?
- Where will data be stored? How secure is it?
- Who has control over the data?
- Will personal data be transferred outside the EEA?
2) How can you strengthen and design new policies and systems for GDPR compliance?
You need to make sure IT systems, staffing, policies and contracts are compliant with the new rights and responsibilities. Privacy policies need to be rewritten with additional information in Plain English. Some questions to think about are:
- What would you do if customer or employee data was disclosed or destroyed?
- Do you have a policy in place so that employees know what to do if they receive a request for access to personal data or to be forgotten?
- Can IT systems handle these requests?
- Are you clear about the grounds on which you collect and use data? Do you have sufficiently strong methods of obtaining consent?
- What changes should be made to your data controller and data processor contracts?
3) Can you prioritise and implement key remedial measures using a risk-based approach?
You need to identify issues that pose highest risk to business and take action to address these first. Use privacy impact assessments and think about:
- How likely are the identified risks? What is the degree of harm to individuals?
- What compliance actions are required?
- Are there any high risk processes, such as involving large quantities of sensitive personal data, which require prior consultation with the ICO?
4) Do you train your staff regularly on data protection?
Organisational culture needs to reflect the new approach in the GDPR and enshrine respect for privacy. Some things to think about are:
- Can staff training on data protection be fully embedded in the organisation?
- Do you need a dedicated Data Protection Officer?
- How can you maintain their independence and allow them to exercise a consumer-facing role?
- Do you prefer to appoint an employee to the role or to outsource the function?
5) Has your organisation committed to best practice?
We have a simple way to help - Fair Data Accreditation. Contact us today and we can help guide you through the process.
MRS' Fair Data Accreditation is the only mark that allows companies to show best practice in data protection. It will take you most of the way towards GDPR compliance. Find out more.
Tel: +44 (0)20 7566 1874