The 25th May GDPR deadline looms, so we thought we’d share some GDPR Quick Wins. Are people at least a little nervous? Most certainly. Having been in the compliance business for some time, this situation comes to us as no surprise. Don’t worry – the GDPR Police are not in the car park yet.
GDPR Quick Wins?
Are we suggesting 100% compliance via an afternoon’s work? No – sorry. However, we’ve put together some pointers below, which may be “quick wins”. We’re focussing here on the aspects which are likely to have the greatest impact and reduce risk.
1. What Are Your Processing Activities? Document Them!
Both data controllers and data processors must maintain a record of their processing activities, according to Article 30 of the GDPR. All cases of processing should be documented, namely what is processed, how it is carried out, its lawfulness, and whether there is interaction with third-parties.
Like many issues surrounding standards and compliance, this is a highly useful activity. Even outside the GDPR imperative, it will benefit your business.
2. Is Your Processing Lawful?
The GDPR says it must meet the following criteria:
The data subject consents to the processing of personal data for one or more specific purposes:
Processing is necessary for the performance of a contract.
......for a legal obligation which the data controller is subject to.
......to protect the vital interests of the data subject.
......to carry out a task in the public interest.
......for purposes of legitimate interests pursued by the data controller.
Are your processes lawful according to GDPR? If not, make changes where required.
4. You Need a Breach and Incident Register
There’s some common confusion here – not all breaches must be reported to the supervisory authority or even the data subject themselves. However, where there is a risk to the rights and freedoms of data subjects, then a report needs to be filed. Otherwise, breaches need only be reported internally. Once again, this is a thoroughly sound business improvement tool, highlighting areas of risk and improvement.
And Breaches Are…? Unlawful processing, unauthorised access, deletion, alteration, transmission or sharing of personal data. They should be recorded in your breach and incident register. Once again, in the interests of good practice, it would be wise to brief users on how to spot breaches and how and register them.
5. Subject Access Requests and Other Rights – Establish Some Processes.
Under GDPR, we’d suggest that there are three key ones:
The right to access (subject access request)
….to restrict processing
To clarify, Subject Access Requests permit data subjects to request information from you on what you hold about them and how you process it. GDPR mandates that you respond to such requests within 30 days. Therefore, you will need a solid and efficient documented and agreed procedure for handling such requests.
A consequence of this gives the subject a right to restrict processing and object to on the grounds of lawfulness of processing. If processing is consent-based, then the data subject can withdraw consent. Once again, a sound documented process will keep your company out of court.
We believe that these are the key areas generally requiring attention. We are here to help, to simplify, not complicate, so please get in touch if we can help with your GDPR quick wins.