Eight steps to get your firm GDPR compliant
The General Data Protection Regulation (GDPR) entered into force throughout the European Union on 25 May 2018 and will enter into force in July/August 2018 in Norway. All businesses that hold personal data that either directly or indirectly can be used to identify a person, need to follow the new regulation.
Even though you might feel your business is not ready for GDPR, there are some steps you can take and issues you can easily address to become compliant. The penalty for GDPR non-compliance is up to €20M, maximum 4% of annual global revenue of the organisation.
The aim of the GDPR is to protect citizens from privacy and data breaches.
Elin Mathisen, Partner in Berngaard, underlines: “Keep in mind that personal data comprises any information related to a physical person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. This means that even the smallest companies with a few employees and/or a few customers must implement GDPR in their organisation.”
Mathisen advises firms that are preparing for GDPR compliance and has prepared a GDPR compliance package with training particularly aimed at small and medium-sized companies. She says “Companies should first and foremost understand the basic principles of GDPR. Then involve every department in the organization, not only management and IT.”
Mathisen also points out that “It might be difficult and time consuming to navigate through all the GDPR-information available from the Data Protection Agencies. If you still haven’t got anyone to assist you in making your firm GDPR compliant, it could be useful to get help.”
Elin Mathisen lists eight main points for firms to note as they prepare for GDPR:
1. Become responsible
The Regulation includes provisions that promote responsibility, so we advise organisations to make an inventory of all the personal data they hold and examine it under the following questions:
Why are you holding it?
How did you obtain it?
Why was it originally gathered?
How long do you need to retain it?
How secure is it, both in terms of encryption and accessibility?
Do you ever share it with third parties, and on what basis might you do so?
2. Review personal privacy rights
Data subjects have several rights pertaining to the way organisations collect and hold their data. These include:
The right to be informed
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right to access
3. Keep staff and customers informed
When collecting personal data from staff, customers or service users, you need to inform them about what kind of personal data you are collecting and their rights.
4. Learn about legal grounds
You need to have a lawful ground to process data. There are six lawful grounds for processing data:
Consent
Necessary for the performance of a contract
Compliance with a legal obligation
Vital interests
A public task
Legitimate interests
Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping a valid consent. Even if you get a consent from an employee, it’s not necessarily accepted as a lawful ground. Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.
5. Be prepared to delete your data
The GDPR embodies a "right to erasure" in place of the "right to be forgotten" that already applies within the European Union. In specific situations, subjects can request that their details be removed from your database entirely. Make sure to have routines ready for completely removing subjects from your databases.
6. Plan for data breaches
One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery and provide them with as much detail as possible.
7. Document your routines
It is important that you can document your compliance with GDPR. These are the documents you should consider preparing:
Records of processing activities
Privacy policy
Risk assessment
Data processing agreements
Routines
8. If you are a tech-company you also need to consider
Privacy-by-design
Organisations should adopt a privacy-by-design approach to data protection.
Data Protection Impact Assessment (DPIA).
DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.
