Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Essentials

by Adam Brogden
in Blog

18-Jun-2019 10:39

GDPR is complicated and provided little information about how to implement. When making decisions about what GDPR means to you it is important to remember the GDPR principles. For example, accountability, accountability is a cornerstone of GDPR; companies must be able to show how they comply with its principles and be able to demonstrate that they have effective policies and procedures in place.

This means a lot of documentation and at the very least you should document that your company complies with all of the following:

  1. Awareness: You should ensure that all relevant people within the company are aware of GDPR and how it affects your business. This should include all senior decision makers and key people involved in the management of data and personal information, such as HR, IT and marketing departments.

  2. Data you hold: You should document what personal data you hold, where it came from and who has access to it. It may be sensible to conduct an information audit.

  3. Lawful basis for processing data: You must identify your lawful basis for processing personal data and document this. A lawful basis can be the consent of the data subject, the legitimate interest of the data controller or a third party to process the data in order to be able to run a business, or the need to process the data to perform a contract with the data subject or to take steps to enter into a contract.

  4. Privacy notices: You should update your privacy notices and make them freely available, fair and easy to understand. These should state who you are, what personal information you hold, where the information was sourced, what purposes the information will be used for and how long it will be held. The privacy notice must also explain your lawful basis for processing data. You must also explain that individuals have a right to complain to the Information Commissioner if they believe that there is a problem with the way you are handling their data.

  5. Individuals’ rights: You should ensure that you have procedures in place so that individuals can easily exercise their right to demand that they can see, correct, restrict access to or remove their personal information from your systems. You must also be able to provide this data in a commonly used electronic format.

  6. Data breaches: You should have procedures in place to detect, report and investigate a personal data breach. A serious data breach, one that is likely to result in a risk to the rights and freedoms of individuals, should be reported to the Information Commissioner’s Office (ICO). If you hold sensitive personal data you should assess the types of personal data you hold and document where you would be required to notify the ICO in the event of a data breach.

  7. Data protection officer: You should designate someone to take responsibility for data protection compliance within the company.

  8. Data protection by design and Data Protection Impact Assessments: Privacy and data protection must be key considerations in the early stages and throughout the lifecycle of any project the company embarks upon. A Data Protection Impact Assessment is required where data processing is likely to result in a high risk to individuals. High risk is defined as one that could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to an individual.

Optindigo provides complete documentation sets that cover all these principles and help you manage your ongoing compliance.

Good luck all.