Help! Am I GDPR Compliant?
With four months before GDPR comes into effect, many still have doubts about their organisation’s readiness. IT research giant Gartner says 61% of organisations had still not begun GDPR compliance by June 2017, so this is not unusual. The thing to keep in mind is that you still have time to prepare for the deadline in May. It starts with a pencil and paper.
It’s all about the people
GDPR compliance is all about the people whose information you are protecting. Put them at the heart of everything and you will not go wrong. Think about the kind of upset or embarrassment they would suffer if their data were misused. Your purpose is to protect them.
As one of the biggest buyers, refurbishers and sellers of hardware, Techbuyer’s business model spans the whole breadth of GDPR regulation, from the consent protocols with outbound marketing, internet security, database and website management, staff and dependent records, right through to data destruction of over 10,000 hard drives every month. We spent 1000 hours over three months to ensure compliance. For most organisations, it should be less complicated.
Understanding your data management means you are halfway towards compliance. Describe whose data you hold, what data you have, how you use it and for how long, and why you need it. Be ready to give this information to individuals should they ask.
Draw a map
Even the simplest organisation has multiple methods of collecting, storing and sharing data. Looking at this thoroughly is the starting point for your GDPR preparation. It will help you understand what information you have, what you need to do to make sure it is secure and accessible to the right people, and guide you towards the policies you need to write down to do this. You should think about the information itself and the way it’s transmitted.
Look for weaknesses
Assess how secure the data transfer is and how easy it is to get at when it is stored. Facebook, for example, is a great way to get in touch. But it’s not a good idea to give personal details on the wall.
Text message is a quick, efficient way to send an address. But you need to think about how to make that phone less vulnerable to other people seeing the information. Screen locks, deleting the message after it has been used and ensuring the device is remote wipeable are all good ways of doing this.
Once you start getting into this, you will find all sorts of free resources available, and software that already has things like encryption built in. Check out our article Top Tips for GDPR Compliance if you want to know more.
Write down what you do
As soon as you know which data exists and have thought about how to protect it, you should write a procedure that covers this. It can be as simple as a one page word document that is clear about what your organisation does and the best way to do it. Distribute this in its full form to all employees, and create a simplified version for individuals whose data you hold. They have the right to know what data is held, how it will be used and for how long as well as why you need it.
Make sure you do it
Once the policies are in place, you need to make sure everyone in your organisation has read them, understands them and understands how they apply to their job. You can make this as straightforward as distributing a word document and asking people to sign it. Or you can take a more creative approach. The important thing is that data security is everyone’s responsibility, in the same way Health and Safety is. Don’t feel shy about asking what steps service providers are taking towards GDPR compliance, and be ready to change provider if they do not pass muster.
Plan for a breach
You have 72 hours to report a breach to your lead supervisory authority. Make sure you plan for this in terms of how it will be reported internally and externally. Make a drill, and practice it.
Don’t forget the end of the line
Data should not be kept for any longer than you need it. Plan a way of deleting personal information from databases and backup drives. And make sure data stored on old hardware is properly wiped as part of upgrades or replacements. For more information, read our article The Right to be Forgotten – GDPR and Asset Changeouts.