With just weeks until the new data protection regulations come into force, if you haven’t got your process in place you will need to get your skates on! On May the 25th the way we protect and use data is changing, our current data protection act was written in 1998 and really doesn’t cover how we use and store data in today’s environment. To put that in prospective, in 1998 France won the world cup, smartphones didn’t exist and neither did cloud technology. Data protection rules apply to all information held electronically or in paper files that can identify a European individual, it relates to processing of personal data, which means collecting, using, disclosing, retaining and disposing of information.
We catch up with local GDPR expert, Daniel Reeves, Managing Director of The Bicester Computer Clinic who has been running free GDPR workshops over the last few weeks to help people understand the importance of these data changes and what you need to do to be compliant.
Daniel Reeves comments, “Some of the information out there about GDPR can make it feel and seem very scary, but it is a glass half full situation not half empty as every company needs to do it and it means that your own personal data is going to be safe and not misused. At TCCB we have broken down the very large GDPR document into 12 points of interest to help companies to become compliant.
Most companies don’t realise the amount of data they hold and in some cases are not aware of who has access to that data. Along the GDPR journey you will gain this information and get a better understanding of how to make sure it is protected.
To start your GDPR journey you should be looking for an IT professional that can assist and guide you. Most competent IT companies have already built a team of professionals that include an HR expert for policies and procedures as well as a legal professional to instruct on the legal measures that are required. Working with these three professionals from different industries, you will cover each basis and your GDPR journey will be considerably easier than doing it alone.
Awareness-You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold– You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information– You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Individuals’ rights– You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests– You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Lawful basis for processing personal data– You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Consent– You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Children-You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
Data breaches-You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments-You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out hand when to implement them in your organisation.
Data Protection Officers– You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate Data Protection Officer.
International- If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Last and by no means least, one of the elements of the GDPR relates to the length of time we keep the information we hold, and not keeping it for any longer than necessary. This may mean, like it did for us, that you have a large amount of old paperwork to be disposed of.
Old files must be disposed of in a secure and confidential way and physical shredding is the most reliable way to do this for paper files and digital media. Remember anything that has so much as a name or email address is classed as confidential data, so think about where you put that email you printed out, or that extra invoice with a client’s name and address on it!
If you need a shredder, we can arrange for you to have a secure shredding console in your office, which is collected every 4 weeks.
Please contact [email protected] for more details.
For further information on GDPR you can also refer to the official GDPR portal –