Brexit Means No GDPR?
When I speak to companies, I still encounter (senior) people who believe that with Brexit, they don’t really need to comply with the GDPR, as it’s an EU requirement. That is very much not the case, the government has confirmed that the UK Data Protection Bill (which includes the requirements for the GDPR) will proceed into law, so all UK companies need to be compliant for the May 25th, 2018 time frame.
What Should Every UK/EU Organisation be Doing?
No matter what their business is, every UK and EU company is likely to hold some Personal Data (if only for its employees), so in readiness, for the GDPR they should follow the below steps as a minimum:
1. Understand Your Data
Know and understand what Personal Data your organisation collects, how it is processed, if it is made accessible without consent, if it is sent to third parties, and ensure that your agreements with them ensure that they are identified as a data processor. If your data processors are outside of the EEA, you may need an additional contract to be able to legally send the Personal Data to that country and vendor.
2. Create your data purpose(s)
If you already have a data purpose, then ensure that it is updated and appropriate for use for the GDPR. If not then you will need to create a data purpose, which states what data is collected, why it is collected, how it is processed, who and where (if outside of the EEA) it is processed, how long it will be retained for, and who to contact in case of a data protection query (your data protection officer).
3. Ensure consent
Ensure that you are obtaining the Data Subject’s consent to use their Personal Data and that you are recording their consent(s) so that they can be demonstrated to the Data Subject or a Data Protection Authority in the case of a Subject Access Request, or a complaint. If you have a lot of personal data already that you have no record of consent for, then you may want to look at actively re-establishing consent, in some cases (such as in the provision of an active service) consent may be implied, but you may need to see additional help in this area.
4. Support the data subject’s rights
Assess your business processes and the functionality of your computer systems to be able to support the Data Subject's rights within the time frames dictated by the GDPR.
5. Create an incident response plan
The GDPR requires that following the discovery of a data breach or other incident involving personal data that the incident be dealt with in a way that ensures that the Data Protection Authority or the Data Subject can be informed as to the nature and scale of the breach, the action that has been taken, the potential impact on the Data Subjects, all within 72 hours of the discovery of the breach. This requires having an Incident Response Plan that can be followed to ensure that your organisation does not have to establish the process whilst dealing with an incident.
I hope this article has improved your understanding of the GDPR and given you the steps that will help you start your journey. GDPR whilst not as scary as is often portrayed it can be complex, so if your business has some complexity in its requirements (such as cross board data processing, or being based outside of the EU) then you should seek help and support to ensure that your approach is both appropriate and proportionate to your requirements.
Darren Wray, CEO of Fifth Step and author of the article above is a proud member of the IoD. If you would like to join Darren and 30,000 other leaders then you may be interested in one of our membership packages.
Find out more about membership