If GDPR and compliance are a concern for you or your organisation, don’t worry. Taking all the different aspects in at once can (and probably has) caused everyone to feel a little overwhelmed at some point. But it doesn’t need to. Here are the five tips to know about and why they matter.
Transparency
When it comes to GDPR, transparency is a fundamental principle. The reason why that’s the case is simple. It gives individuals as much control over their data as possible and facilitates their rights.
Control and rights are both fundamental underpinning principles of GDPR.
How does a company demonstrate transparency? The content of privacy notices is a good start. Good, compliant examples include
- the contact details of the company;
- if required, the Data Protection Officer,
- the purpose and lawful bases for processing the data
- and the categories of personal data you hold to name a few.
Mapping your data
Data mapping confuses some, but its principle is relatively easy. Mapping your data means establishing what information you hold and exactly how it flows through your company. This type of audit (also known as a mapping exercise) should be performed regularly by assigned individuals.
Doing so ensures it is maintained and amended as needed by a person or persons who are aware of their responsibilities.
Reporting breaches
Breaches can unfortunately happen, and on a long enough timescale, something similar to the list below probably will.
Data breaches can take many forms, such as:
- Device loss or theft
- Phishing scams
- Hacking
- Lost or stolen external USB drives
Breaches can also result from carelessness or lack of awareness, such as unattended computers and, especially recently, working from home on unauthorised personal devices and unprotected networks.
Reporting breaches of personal data have been mandatory since before the GDPR came into force. It just became more visible,, and the assessment for reporting changed. The Information Commissioner’s Office has a dedicated section for more information about breach reporting.
Knowing your subject’s rights
Data subjects have a wide range of rights relating to the data you hold about them, making it essential to know why you are processing the information you hold about them.
Data subjects have some or all of the following rights:
The right to be informed (Including why you are processing their data, how long you intend to retain it and who you might share it with.)
A right of access (Typically referred to as a Subject Access Request or SAR which must be dealt with in a timely way.)
The right to rectification (If the subject feels their data is incomplete or inaccurate.)
A right to erasure (Also known as the right to be forgotten, sometimes for legal reasons this may not always apply)
The right to restrict processing (In certain circumstances, an individual as the right to store their data but to stop you using it.)
A right to portability (The right to obtain their data and reuse it for another purpose or service.)
Being accountable
For both controllers and processors, demonstrating compliance and putting measures in place to meet the requirements for accountability will mitigate the risk of enforcement action. Still, it will also build trust in your business and its services and raise you above the competition.
For help and advice around transparency, avoiding breaches, mapping the data you use, subject’s rights and accountability, get in touch today; I’d love to offer you help and advice in the field I specialise in.