September 13, 2017
Gavin Sweet was part of a panel on GDPR at Comms Business’ Channel Live event at the NEC. GDPR is a big business story right now. The only other event we can remember which had this much coverage was Y2K. And we all remember how that panned out!
As you would expect there was a lively discussion and lots of technical points raised. However, our view is that GDPR doesn’t have to be complicated or scary, so we’ve boiled it down to some essential actions which will form a simple GDPR action plan.
The biggest mistake you could make is doing nothing
Make sure that you have reviewed what’s required of you – you probably don’t need a formal Data Protection Office (DPO), but you should have nominated someone to handle GDPR.
Review the simple steps recommended by the Information Commissioners Office. There’s a really good overview of GDPR on their website.
Ask your suppliers and cloud outsourcers what they are doing, and who they have is nominated as data controllers
Rough out at least a basic GDPR policy and procedure doc, doesn’t need to be elegant, just a description of some basics as to how you will handle your accountabilities.
Your plan should cover the following points, though you may need to add additional elements depending on how your business is storing and processing data.
- We know where our data is (what system/supplier and what territory) and what kind of personal data we have (i.e. names, phone numbers, email, credit cards etc) – and we can map this across our systems and suppliers
- We know how we control and process that data, and for what purpose, and that the purpose is lawful – and we could explain that in simple language to a customer
- We have some kind of method to handle DSARs (data subject access requests) whether for information, rectification or erasure etc (or we have been told this by our suppliers) – that means that you can roughly map out how we access and interrogate the systems we identified above
- We have done a check on the consents on this data (we don’t have to fully refresh everything right now), and we have done a quick review of the “notices” that we use when we capture new data (i.e. how it’s going to be used and by who) – new consents have to be clear, explicit and unambiguous, implied consents for different purposes aren’t good enough – consent must be explicit.
- We have a basic plan for what we would do if there was a breach of data (or if a supplier of ours breached data).
If you create a plan along these lines, checking it against the information from the Information Commissioners Office and perhaps an external GDPR specialist, you should be ok.
Once you have a plan make sure your team understand it and its implications. Like all systems they’re only any use if they are applied across your business.