GDPR is coming. Like it or not Every business has a responsibility to be compliant by 25th May or simply in 3 weeks from today
What must you do.
- You must nominate a person to be responsible
- You must write a policy for managing data
- You must check if you should be registered with the data protection commissioner
- You must protect the personal data you hold
- You must have a valid reason to hold it
- Ideally written permission which includes the reason and duration of keeping the data
- You must either get permission to hold the data or delete it
Some gideineds
- You must delete data within 30 if requested to do so
- What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data?
- Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
- Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption be required to protect the personal data we hold?
- Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
- Are we implementing a policy of ‘Data Protection by Design and Default’ to ensure we’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals?
- Have we considered how we handle employee data in our plan?
- Do we have a defined policy on retention periods for all items of personal data, from customer, prospect and vendor data to employee data? Is it compliant with the GDPR?
- Are our internal procedures adequately documented?
- If we’re a data processor, have we updated our contracts with the relevant controllers to ensure they include the mandatory provisions set out in Art. 28 of the GDPR?
- In cases where our third party vendors are processing personal data on our behalf, have we ensured our contracts with them have been updated to include those same processor requirements under the GDPR?
Do we have security notification procedures in place to ensure we meet our enhanced reporting obligations under the GDPR in case of a data breach in a timely manner?