GDPR - What you need to know
GDPR (general data protection regulation). In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
Steps to becoming GDPR compliant
Ensure that you are obtaining the Data Subject’s consent to use their Personal Data and that you are recording their consent(s) so that they can be demonstrated to the Data Subject or a Data Protection Authority in the case of a Subject Access Request, or a complaint. If you have a lot of personal data already that you have no record of consent for, then you may want to look at actively re-establishing consent, in some cases (such as in the provision of an active service) consent may be implied, but you may need to see additional help in this area.
The GDPR requires that following the discovery of a data breach or other incident involving personal data that the incident be dealt with in a way that ensures that the Data Protection Authority or the Data Subject can be informed as to the nature and scale of the breach, the action that has been taken, the potential impact on the Data Subjects, all within 72 hours of the discovery of the breach. This requires having an Incident Response Plan that can be followed to ensure that your organisation does not have to establish the process whilst dealing with an incident.
Know and understand what Personal Data your organisation collects, how it is processed, if it is made accessible without consent, if it is sent to third parties, and ensure that your agreements with them ensure that they are identified as a data processor. If your data processors are outside of the EEA, you may need an additional contract to be able to legally send the Personal Data to that country and vendor.
If you already have a data purpose, then ensure that it is updated and appropriate for use for the GDPR. If not then you will need to create a data purpose, which states what data is collected, why it is collected, how it is processed, who and where (if outside of the EEA) it is processed, how long it will be retained for, and who to contact in case of a data protection query (your data protection officer).
Assess your business processes and the functionality of your computer systems to be able to support the Data Subject's rights within the time frames dictated by the GDPR