The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. With fines for non-compliance of up to 4% of group turnover or €20 million, it’s not too soon to be fully prepared and confirm whether your current systems will either help or hinder and take the necessary steps to ensure compliance.
Below are 10 steps to make sure you’re ready for May 2018.
1. Get board and management buy-in
GDPR non-compliance is a significant business risk, especially if you handle customer and client data, but even if you don’t, your employee data will need to be secure. The board and Senior Management teams should be involved.
2. Organise a GDPR team
Your IT department’s input will be key; they are likely to have responsibility for ensuring the technical security and accessibility of data. HR will be involved in managing employee data, as well as with training and education on GDPR.
The marketing team will need to look at how they use data for direct marketing and other purposes.
Procurement team will need to make sure their suppliers are compliant with GDPR too.
Finance will be storing personal data for payment.
The legal team will advise on compliance and may take the lead on the project.
You may need to use external advisers: for example, external legal advice on a detailed plan of compliance, and IT specialists to conduct a data audit, implementing appropriate security measures if necessary.
3. Carry out a data audit
What do you hold & where?
How long do you hold it for?
What do you use it for?
What do your third party suppliers have access to? (you are responsible for what they do with your data, so you need to be sure they’re compliant too)
Where do we record who has accessed data and why?
What about transfers of data outside the EU? How is this managed and recorded? Schemes such as the EU-US Privacy Shield are usually well worth considering, although hosting data within the EU is nearly always your safest bet.
4. If your organisation operates in more than one international country you should decide your lead Data Protection Authority
5. Purge your data
There’s no point in keeping data that has no value to you, given the risks of something happening to it. Have a regular ‘cleanse’ of data you hold that has no purpose. “It may be useful one day” isn’t usually a valid reason, given the potential risks of data becoming exposed.
6. Secure your data
Make sure the data you have is protected. Encryption, user access control and audit logs are essentials when it comes to security.
Ruby Datum is useful not just for Virtual Data Rooms, but also a Document Management System in ensuring compliance when it comes to GDPR. Please feel free to get in touch, should you wish to secure your documents.
7. Review policies and procedures
What is your legal justification for holding personal data?
Do you need specific consent?
What about reporting data breaches? There is an obligation to report within 72 hours, not just for loss of data outside the organisation, but employees gaining access to data they shouldn’t.
8. Work out how you will deal with people using their ‘rights’ over data
If you hold data on someone, they have the right to view it, request its deletion (the “right to be forgotten”) or amendment, to have it transferred to someone else, all within 30 days. Can you do that? If not, work out what you will need to do.
9. Start educating and training your employees
Make sure everyone knows who the main point of contact is for managing data protection requests and what they need to do.
10. Prove compliance
If you’ve complied with steps 1-9 above, you should be compliant. But that is no use unless you can prove it. Make sure you have documentation setting out exactly how you are compliant, with logs for actions taken on an ongoing basis (this is not a one-off project, and complying with the obligations will require constant review).
If you are currently a Ruby Datum customer, we are confident that our Virtual Data Room / Document Management System will satisfy many of the security and audit challenges mentioned briefly above. The Virtual Data Room will securely detail data access by whom & when, noting any changes and be recorded for Administrators.
If you are not a Ruby Datum customer yet, we would be pleased to talk to you about GDPR, on the phone, over a coffee or in your office.
While we have carried out extensive research to complete this article, we must emphasise that we are not qualified to provide legal advice and should you want to ensure a rigorous journey towards full GDPR compliance, we would be delighted to put you in touch with one of our Law Firm clients.