8 questions to ensure GDPR compliance
Written by: Spencer Wyer
Publish Date: May 25, 2018
Read time: 8 minutes
We’ve seen the continuous train of emails. We’ve watched the news constantly bring data protection to the forefront. The long anticipated regulation is finally here. For years the General Data Protection Regulation (GDPR) has been slowly approaching with some businesses adopting measures to meet compliance. As the date has grown closer, it has become apparent that many organisations still do not have procedures in place to meet the new regulation.
Recent research (1) before the deadline revealing that 85 percent of businesses in Europe and the US would not being ready in time. We’ve put together a guide on what organisations can do now to achieve compliance and avoid any fines and damage to reputation. Below you’ll find a break down of the key principles that your organisations need to be aware of.
1. Does your organisation need a data protection officer?
Assess whether or not to appoint a data protection officer. All public authorities and companies that practice regular and systematic monitoring of data subjects on a large scale or where the entity conducts a large-scale processing of special categories of personal data should appoint a DPO.
2. Is your data catalogued correctly?
Ensuring that data in your organisation is correctly catalogued is crucial. This includes alignment to approved retention policies, and that data that is no longer required is securely erased. Furthermore, this also comprises data stored in the cloud and paper documents stored off-site. Paper documents may have been stored off-site for decades that have now been scanned and duplicated in online systems – while paper is difficult to hack, document storage must be compliant with the principles of GDPR. At EDM Group we have a document management scanning solution that allows organisations to digitise documents in high-volume and bulk, that can streamline complex workflows accurately.
3. How are paper documents dealt with?
Consider how paper documents are dealt with. Paper documents containing personal data entering the organisation must meet the GDPR regulations as they move through various business processes. By setting up a Digital Mailroom, you can ensure that you have a clear and compliant audit trail for all paper documents entering the business.
4. Do you know where personal data is stored?
Conduct due diligence on where data is being stored. This is in relation to data that is being stored in the cloud by cloud application providers and other data processors. This could include file sharing apps used by individuals within the business as well as corporate systems such as accounting, CRM, personnel and content management platforms.
5. Is your cloud hosting provider secure?
Ensure cloud hosting provider is secure. Make sure the cloud hosting provider has the tools and technologies in place to protect data, identify and report a data breach and produce information and/or incident logs when required. Request confirmation from the cloud hosting provider that data is not leaving the EU or that is not crossing borders to non-compliant countries where there is a higher potential risk of espionage.
6. Have you got a record of all your data processing activities?
Create required Records Of Processing Activities. You can begin by identifying the lawful basis for your data processing activity in the GDPR and then document it and amend your privacy notice to explain it to data subjects and the ICO.
7. Is your data protection policy up to date?
Update Data Protection Policy and data breach procedures. It is imperative to ensure you have the right procedures in place so your company can easily identify, report and investigate a breach of personal data.
8. Have you reviewed consent, privacy notices and data subject rights?
Review procedures for subject rights and update privacy notices and consent forms. Ensure that all procedures for subject rights are updated to the legislation set out in the GDPR. Amend privacy notices and consent forms to prepare for the changes to individual’s rights.
While the GDPR will no doubt cause a major shakeup of the data protection regime in the EU, it is also an opportunity for organisations to demonstrate best practice in data and document management and use this to enhance trust in their business and processes.
Now implemented, the GDPR is the law. The threat of tougher fines that could risk any organisation regardless of size, is reason enough to hit the ground running.
It is time to get the basics in place. If you need assistance in document managing, please do contact us or explore our document scanning and digitisation services here.
- Capgemini. (2018) Seizing the GDPR advantage: from mandate to high-value opportunity. (Date accessed 25/05/2018: https://www.capgemini.com/gb-en/resources/seizing-the-gdpr-advantage-from-mandate-to-high-value-opportunity/?utm_source=pr&utm_medium=referral&utm_content=insightsdata_countryorganic_link_report_gdpr_dti_uk&utm_campaign=secureassets_gdpr