Ten Steps To GDPR Success

Ten Steps To GDPR Success

In my third and final article (hopefully) about the fun subject of the GDPR, I would like to leave you with steps you can take to prepare for the General Data Protection Regulation. Please like or share this article - people will find this useful!!

The positive info is that many of the main concepts of the GDPR are much the same as in the current DPA. So that’s the good news – if you are complying with the current law then most of your approach to compliance will remain intact and you just need to build on those areas. Although there are some new elements/enhancements that you need to pay particular attention to.

What is the GDPR?

To recap from my previous posts, the new General Data Protection Regulation (“GDPR”) was formally adopted by the European Union in April 2016 and came into force on 24th May 2016. It will apply in the UK and other European Union member states from 28th May 2018. The Government has confirmed that the decision to exit the European Union will not have an effect on the General Data Protection Regulation’s implementation, although employers should be aware that Data Protection is one of the areas that the Government is said to want to review post-Brexit. If your organisation fails to comply, you (well your company) could be exposed to fines of up to €20m, or 4 per cent of your global turnover - ouch.

What do you need to do?

1 Thou Shalt Get Buy in and Awareness

  • Start with the end goal in mind and plan your approach, you will need to get buy in from key people in your organisation.
  • Ensure key people are aware that the law is going change, make them aware of the impact it will have.
  • Implementing the GDPR may be time-consuming and be a drain on resources – do not leave this to the last minute. I know, it’s cliché but failing to prepare, is preparing to fail!!

2      Thou shall review the Information you hold

  • List/record all the personal data you hold, where it came from and whom you share it with.
  • Hold the most fun sounding party of all time – Information Audit Party… woohoo...
  • The GDPR requires you to maintain accurate records and maintain update rights. This means that if you have shared inaccurate data, you need to tell the other organisation about the inaccuracy so they can update their records.
  • So, to do this you need to know every bit of personal data you hold and whom you share it with.
  • This will also help you comply with the GDPR accountability principle – meaning you need to show how you comply with data protection principles.

3      You shall Communicate privacy information

You will need to review what you are currently doing for privacy notices and put a plan in place for making the changes you will need to implement.

Now, you will need to explain:

  • Your lawful basis for processing the data.
  • How long you intend to hold the data for.
  • That individuals have the right to complain to the ICO if they have a problem with how you are handling their data.
  • No more war and peace in terms – it needs to be clear, easy to understand and concise.

4      You shall deal with individual rights

Check your procedures to ensure they cover the rights each individual is entitled to. These processes need to include how you delete personal data.

Mostly the rights are the same as under the DPA, but with a few major enhancements.

Here are GDPR rights:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right not to be subject to automated decision making... Including (if you have read my last article) profiling...

Portability is new – look into it. It applies to personal data, where the processing is based on the individual's consent (or for the performance of the contract) and when it is automated.

5      Thou shall plan subject access requests

  • Plan how you will handle data requests – make sure everyone knows and understands the process.
  • If someone requests details on the data held you will not be able to charge for this now (well most of the time) and you will have less time (30 days) to comply with the request.
  • If you get a lot of requests – you will now have to plan how to deal with these in shorter time scales...

6      You shall have lawful basis for processing personal data

This is the best part of GDPR – well if you are a lawyer or someone who likes writing out policies...

  • You need to identify the lawful basis for your processing activity – document it and update your privacy notice.
  • You will have to explain your lawful basis for processing data in the privacy notice and when answering access requests.

Review the types of data processing you do, write them down and document the lawful basis. Get this documented – this helps you comply with the accountability requirements.

7      Thou must have consent

  • Review how you seek, record and manage it – you may need to make changes. This will have a big effect on talent pools, ATS and application processes.
  • Consent must be freely given, specific, informed and unambiguous, and easy to withdraw.
  • See my last articles – positive opt-ins are now required!! 
  • Mostly you will need to refresh all your data to make sure you have GDPR compliant consent.

8      You shall deal with Data breaches

You will need procedures in place to detect, report and investigate, a personal data breach.

  •  GDPR means you will have to report data breaches to the ICO - well only if it results in a risk to the rights and freedom of individuals.
  • You will also need to notify the individuals directly… ugh...
  • Now, you can be fined for failing to report a data breach as well as a fine for the breach.

9      (Insert witty biblical quote) Data protection by design (DPD) and data protection impact assessments (DPIA) – really interesting stuff ahead (sarcasm)

This is a legal requirement now, data protection by design and default. As per the GDPR...

DPIA is mandatory where:

  •  New technology is deployed.
  • Where profiling will affect the individual (ATS and recruitment process).
  • Where processing is on a large scale.

If your DPIA shows that you have a high risk and you feel you cannot address those risks – you need to consult the ICO.

 You need to find out the situations where it will be necessary to conduct a DPIA – who will do it? Who needs to be involved?

10 Data protection officers?

Someone, (probably you if you have survived this article so far) will need to take responsibility for data protection compliance. You will need to see where this will sit within your companies’ structure and governance.

You may need to appoint a data protection officer, especially if:

  • You are a Public authority.
  • Your company carries out regular and systematic monitoring of individuals on a large scale.
  • You carry out large scale processing of special categories of data, such as health records etc.

This is soooo important – make sure someone takes responsibility, either in your HR department or your ATS/recruitment supplier.

Well, congratulations, you have survived the 10 steps to success with the GDPR! If you follow the above you will be on your way to helping your business to be compliant under the new regulations, minimising the risk of a fine. Please click like or share the article if you have found it useful!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics