Regardless of Brexit, the General Data Protection Regulation is happening on 25 May 2018, so for those who have not yet pulled together your project team, or thought about your gap and risk analysis, then you need to do so fairly quickly.
Whilst many people are aware of the need to be compliant, some assume that it is a simple update to your Data Protection or Data Security Policy, or something that your IT department or providers will be dealing with. Some will be relying upon a market for off the shelf GDPR compliance packages and hope that there are enough providers of such packages to drive the prices down to a reasonable level at some point in April 2018.
What steps should I be taking?
Rather than scare you with the complete steps you need to take which will get you to compliance, sometimes the most difficult step is the first one, so this article deals with how you can get the ball rolling.
“You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.”
– Information Commissioner’s Office (March 2016)
Pull together a project team, or at least appoint someone senior to take responsibility for compliance.
Map out exactly what personal data you are currently processing, by compiling a list of the following:
- What information are you asking for?
- What is the purpose of asking for that information?
- Where is that information stored?
- How is that information stored?
- Who needs that information?
- Who can access that information?
- What information has been provided to the individual about what their data will be used for? And
- What consent has been obtained?
Once you have the answers to those questions, you will begin to understand the task at hand. You will be expected to demonstrate that personal data is processed for a legitimate interest and appropriate consent has been obtained. The burden of proof lies with you.
We are working closely with a number of our clients in taking them through the various stages in the process and have pulled together a questionnaire, which we have found to be very useful in getting as early as possible to the point of what compliance action is necessary.
To download our GDPR questionnaire, please click here.
Please don’t leave it too late!
[info]
For More Information Contact:
Graham Millar
Mobile: 07841920102
Direct Dial: 0141 530 2023
Email:gmillar@gilsongray.co.uk
John Kielski
Direct Dial: 0141 530 2038
Email:jkielski@gilsongray.co.uk
[/info]
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.