GDPR – Have you taken action yet? Follow our Checklist
GDPR (General Data Protection Regulation) regulates the use of personal data of European Union citizens and the law applies to organisations located both inside and outside of the EU. This regulation came into force on 25th May 2018.
GDPR is not just a technology issue, it is a regulatory one which will require organisations to rethink about every method they use to gather information that could be used to identify a living individual, how they store this information, how it is used and for what purpose it is kept.
Existing data on individuals collected prior to GDPR is not exempt. You must be able to prove you previously obtained permission to have such data in a manner that is compliant with GDPR. If not, you will have you get consent or alternatively you could discard this data.
CT Business Solutions can assist our clients get a better understanding of what they need to consider now that GDPR regulations are in effect and also how to protect your IT systems for GDPR. We have provided a GDPR Checklist for you to go through and be aware of what is needed to be compliant:
GDPR Checklist Steps:
1.How do you collect and store data that could be used to identify individuals?
You need to identify all of the systems your organisation uses to collect and store personal information about individuals. this may include software applications, paper-based storage systems, CCTV cameras, mobile phones an telephone systems. you need to look at how your organisation manages personal data created in these systems to identify problem areas now.
2. Make an inventory:
Create an inventory of all personal data you hold and check:
- Do you still need this data and if not, could it be destroyed?
- Did you get proper consent to have this data and if not, you should get that consent now.
- Do you have a valid reason to hold onto this data?
- Do you have a set time frame for how long you intend to hold this data?
- Is it safe and only accessible by authorised personnel?
- Do they require access to the data?
- Are those who have access to the data aware of their data protection obligations?
- Do you share it with 3rd parties (data processors)? For what reason do you share the data and do they keep the data secure?
3. Communicating data privacy notices:
Review all your data privacy notices and make sure you keep service users fully informed about how you use their data.
4. Personal Privacy Rights:
Ensure your procedures cover all the rights individuals are entitled to, including deletion of their data and data portability if applicable.
5. Manage Access Requests:
Individuals will have the right to access any personal data you hold on them within a period of one month.
6. Ensure you have correct customer consent opt-in :
When obtaining information, you must seek and obtain consent and have a record of this consent. This will also be required for data obtained before GDPR comes into effect. A two-step Opt-in consent is best where the individual confirms they agree to let you use their personal data, for example via an online webform and then again by email.
7. Processing Children’s Data:
If you collect and process data on children you will have to have systems in place to verify individual ages and gather consent from their guardians?
8. Reporting Data Breaches:
The GDPR defines a ‘personal data breach’ as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data and it will be mandatory to report a breach of data, typically within 72 hours and organisations will be required to monitor for data breaches and investigate the cause.
9. Data Protection Officer:
Organisations that require DPOs include public authorities and organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale.
10. GDPR Documentation:
Organisations will be required to show they have GDPR policies and procedures in place and this should be documented.
It is important that anyone who has access to personal data is aware of their data protection obligations and they should never share or copy this data unless authorised to do so. This can be included in the CT Business Solutions GDPR Technology Check-up.
We can assist with your IT risk management strategy by carrying out an audit of your IT systems. We can identify who has access to any software applications or data stored on your network and we can review your existing security measures. We can also ensure your laptops and other mobile devices are secure and encrypted and we can advise if any data being transmitted is secure.
For more information and to arrange a GDPR Technology Check-up, please contact CT Business Solutions here.