G. D. P. R. four dreaded letters that are gaining lots of air time.
Data protection and data privacy have always been delicate topics and there is still some misconception behind them, largely due to technical terms and jargon related to computer systems. However, unlike the Data Protection Act which provided a set of principles for data protection, the General Data Protection Regulation is law and therefore regulatory compliance is mandatory. With only a couple of weeks left before it comes into force, it seems quite evident that a large number of companies will probably not be ready by the deadline of 25th May 2018.
However, if you are reading this, then I have good news for you: the truth is that the GDPR is not that complicated! At Priority One, our certified GDPR practitioners are experts in data protection and can help you become GDPR ready in only 14 days, with our simple, yet highly effective, 3 step plan of action.
Step 1. Risk assessment
The first step involves mapping out your data to produce a ‘data map’. This is crucial to have an overall understanding of the type of data you hold (sensitive, confidential, or corporate), the location of the data (shared drive, external backup), the access controls implemented (who within the business has access to the data) and whether or not it is shared with third parties. A website audit is also carried out to check that appropriate cookie and privacy policies are in place. The main objective behind that is to risk assess the observations and the findings from the data in regards to the GDPR requirements. This will point out which articles of the GDPR are currently breached and will also give an indication of the financial risks associated with those breaches (fines under the GDPR can reach up to 20 million euros).
Step 2. Remediation
The next step involves remediation work to ensure that the issues found in the previous step are addressed and adjusted to the GDPR requirements. This step includes the rewriting of website policies along with the creation of template documents to ease the overall process: marketing consent (where needed), privacy notice, contract clauses and letters to third party processors. We will also help you to determine an appropriate legal basis to collect and process data if this has not been determined yet.
Step 3. Compliance
Finally, we will implement any of the remaining 12 step plan for GDPR readiness that was set out by the Information Commissioner’s Office. This mostly revolves around making sure that the appropriate policies are in place to report a data breach (to the users and to the regulatory bodies), whether or not you need to appoint a Data Protection Officer, if you have implemented appropriate measures to handle sensitive data such as child data, and which procedures are implemented to handle a Subject Access Request.
This 3 step plan of action ensures that all areas of the business are covered and that GDPR readiness is successfully achieved.
If you have queries about this post or with regards to how Priority One IT can help you with GDPR readiness, please contact us. Our cyber security division has a team of certified GDPR practitioners and data protection experts ready to assist you in your journey to GDPR compliance.