Post-GDPR steps

Next story

We now live in a post-GDPR world. Make sure you aren’t caught afoul of the new regulation with these simple steps.

1.       What is your lawful basis for processing data?

There are six lawful bases for processing data, no one is superior to another but at least one must apply to the data you hold. The six are: consent, contract, legal obligation, vital interests, public task and legitimate interests.

Most are quite self-explanatory but it is imperative that you understand which applies to your organisation and why.

2.       Do you have/need a Data Protection Officer

A Data Protection Officer (DPO) is the person in an organisation responsible for monitoring your compliance, advising on your data obligations and should act as the contact point for data subjects and supervisory authority. Read this post for more details.

You need to appoint a DPO if: you are a public authority; your core activities require large scale, regular and systematic monitoring of individuals; your core activities consist of large scale processing of special categories of data or data relating to criminal convictions.

3.       What processes do you have in place to deal with “individual rights” requests?

These are the rights that we covered in our previous post, such as the right to erasure, the right to be informed, the right to object, etc.

As illustrated in that post you should have processes in place to ensure that requests are dealt with in a timely and accurate manner: delaying could become a major issue, your DPO should be instrumental in facilitating requests.

4.       How is the data you hold stored?

This applies to data at rest, data in transit and data in use: in all these states how is the personal data you are responsible for protected?

This is where encryption is king. Even in the event that you lose data or data is stolen, if it is encrypted you do not need to inform the data subject(s) of the breach. You should still inform your local authority, the ICO for example, but they are unlikely to levy fines against you if you have done everything you can to ensure the data is unusable.   

5.       Do you have a plan in the event of a breach?

Hopefully you’ll never have to use it, but you certainly need to have it. Who is responsible for reporting a breach to your local authority? If you suspect a breach has taken place who in your organisation needs to be notified?

If you have a well thought out plan and you can answer all of the above question, you have set yourself and your organisation in great stead.

Use our GDPR Compliance Checker for more detail about your organisations level of GDPR compliance.