GDPR: Am I ready?

The GDPR is a new legal framework that comes into effect on 25th May 2018. Here are some key questions to ask yourself to help you get GDPR ready.

Am I a controller or a processor?

When it comes to handling data you can generally categorise yourself into either being a data controller or a processor (or both!). A controller decides how and why the data is processed and a processor only carries out the instructions of the controller.

An example for your business would be you as a controller deciding to run payroll with your employee’s data and us at APS being the processors who then run the payroll for you.

What data do I hold & how?

When getting ready for GDPR, understanding what data you hold, where you hold it and why you hold it is vitally important. A great way to understand this is to complete a data audit. A data audit can help you identify weak points in your data processing system so that you can put measures in place to prevent data breaches.

The Information Commissioners Office (ICO) website has some useful templates that you can access through the link at the bottom of the page.

Do I have a legal basis?

To process data you must have at least one legal basis to do so. The following are examples of a legal basis to hold and process data:
• legal requirement;
• contractual obligation;
• legitimate interest;
• individuals consent;
• vital interest, i.e. to protect someone’s life; or
• a public interest task i.e. the need to carry out the job by law.

Do I have policies in place?

Data does not need to be held any longer than it is needed, make sure you firstly have retention policies in place that show how long the data will be held and have deletion policies ready for when the data needs to be deleted.

As well as retention policies, you should have internal policies in place that your employees can follow in certain situations. For example, what to do if there is a data breach.

A specific area would be a policy for responding to a Subject Access Request (SAR). If an employee or client submits an SAR you must provide information on what data is held on them and how you use it. The new regulations now give you a 30 day deadline to get this information to the individual, so be aware!

Do I have any high-risk areas?

When looking at how you process data, it can sometimes come apparent that there are some high-risk areas in the processing chain. This is where the processing of data leads to the individual’s rights and freedom being put at risk. A common example of a high-risk area would be unsolicited direct marketing.

If you identify a high-risk area it is a good idea to conduct a Data Protection Impact Assessment (Read more on the ICO Website) and it may require you to have a data protection officer at your place of work.

Do I have consent?

The GDPR gives huge emphasis on having informed consent to hold and process an individual’s data. You will need to provide evidence of consent and it must be on an opt-in basis moving forward.

Evidence of consent can include signed documentation or saved emails giving written consent.

Are my staff trained?

To ensure compliance, all staff should be trained and aware of the company policies. Useful information and resources can be found on the ICO Website here

Please contact us with any questions relating to this article. Contact us