How are your GDPR plans coming along?
Here at Box-it North Midlands we are preparing for the General Data Protection Regulation which will apply from May 25th 2018 and replaces the Data Protection Act. Many businesses that are comfortably DPA compliant will still need to improve and record processes and strengthen data security to achieve GDPR compliance. As there is now less than four months to GDPR day time to prepare is ebbing away.
So what is GDPR?
Essentially the General Data Protection Regulation is the law which will apply to the storage, retention, control and processing of sensitive personal data. Unlike the Data Protection Act the Information Commissioners Office will require businesses to show and prove they are compliant as opposed to defend against an accusation of breach.
What is Sensitive Personal Data?
Personal data means any information which can directly or indirectly identify a person by reference to an identifier.
There are wide range of personal identifiers including name, identification number, location data or online identifier e.g. email address or IP address
Sensitive personal data must:
(a) processed lawfully, fairly and in a transparent manner (lawfulness and
(b) collected for specified, explicit and legitimate purposes (legitimate
(c) adequate, relevant and limited to what is necessary (limited processing)
(d) accurate and, where necessary, kept up to date (accuracy)
(e) for no longer than is necessary for the purposes for which the personal data are processed (necessity)
(f) using appropriate technical or organisational measures (security)
What do I need to do?
(a) review the purposes of your processing activities, and select the most appropriate lawful basis (or bases) for each activity
(b) check that the processing is necessary for the relevant purpose, and be satisfied that there is no other reasonable way to achieve that purpose
(c) document your decision on which lawful basis applies to help you demonstrate compliance
(d) include information about both the purposes of the processing and the lawful basis for the processing in your privacy notice
(e) where you process special category data, you must also identify a condition for processing that special category data, and have documented this
(f) where you process criminal offence data, you must also identify a condition for processing this data, and have documented this
If you haven’t already done so the first step may be to attend one of the many free seminars that are being put on by local business leaders and getting some advice. There will be a mix of businesses there asking questions and sharing knowledge.
An excellent example is those run by Else Solicitors from Burton-on-Trent
So here are some steps:
Research – Review your organisations retention policies and update where required
Information Audit – Design and undertake an information audit, specifically including the identification and profiling of personal data
Update Register – Following the information audit update your organisations information asset register
Review Inventory – Review file/box level inventory in archive, including assignment of destruction review dates
Secure Destruction – Arrange secure destruction of physical records no longer required for retention
Scanning – Scan records where digital accessibility will improve response to data subject requests
Electronic Records – Determine strategy for electronic records management
Meet with Box-it – Meet with a Box-it account manager to discuss your GDPR readiness and priorities