Helpful GDPR Checklist

Whatever the size of your business, you need to take action now to prepare for the General Data Protection Regulation (GDPR) which comes into force on 25th May next year.

We appreciate it can be difficult to know where to start, so we have compiled this checklist to help you begin to consider the areas of GDPR which affect your business.

GDPR Checklist - Helping you Prepare

First Steps

Appoint an individual to ‘lead’ on GDPR compliance in your organisation – you need someone to take ownership of the issue to ensure you are compliant by 25th May 2018.

Identify areas in which your organisation is currently non-compliant. You may like to enlist the support of employees in this task and document areas of concern in a risk register.

Employees

Ensure all employees are aware of their GDPR-related responsibilities ongoing.

Review who has access to information and what they can do with it. Set in place the ability to change access rights as appropriate. You need to protect your organisation against data breaches, but you also need to ensure employees have access to the information they need to do their jobs. A detailed audit will help you to do this.

Ensure employees understand what to do in the event of a data breach. Make sure you have a clear policy and procedure so that you can address issues proactively before they have a chance to escalate.

Information gathering

Identify the lawful basis of your information-gathering, and ensure the reasons are clear to all concerned – your privacy notice may be the best way to communicate.

Make sure you currently seek consent when requesting information from individuals, and ensure this is properly documented.

If you collect data for email marketing purposes, ensure recipients have proactively opted in. You should not add people to your mailing list without their express consent.

Because the GDPR contains special protection for children, you may need to consider whether you need systems in place to verify people’s ages and obtain parental/guardian consent for data processing.

Information management

Document what personal data you hold and be clear on where the information came from, where it is held and who has access to it.

Review your IT systems to ensure information is held securely with appropriate back-up.

Make sure your privacy notice (the notice which tells people from whom you collect data who you are and what you are going to do with their information) is up-to-date and GDPR-compliant. There are several requirements in GDPR which are additional to the current Data Protection Act such as the need to explain your data retention periods.

Make sure you have the correct procedures in place to ensure inaccuracies can be rectified, not just within your own organisation but with any other person/organisation you pass that information on to.

Make sure you have robust procedures in place to identify, report and investigate any breaches in personal data which may occur.

Ensure your organisation can respond appropriately to information requests. Work out how you would comply with the rights contained within GDPR relating to individuals’ rights:

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

The right not to be subject to automated decision-making, including profiling.

International businesses

If your organisation operates within other EU territories and you carry out cross-border processing (you are established in more than one EU country or your data processing substantially affects individuals in other EU states), you need to document the lead data protection supervisory authorities.

How can Ten Ten Systems help you prepare for GDPR?

As your IT systems are central to GDPR compliance, we are here to help. Our team can support you by identifying how your business is affected and putting in place the correct systems and processes to ensure information is correctly handled.

“The penalties for non-compliance are severe so you need to understand what GDPR means for your organisation and take action now.” Steve Birks, MD

What to do next

Please get in touch with us on 01244 408990 to discuss GDPR and its potential impact on your business.

Tags: , , , , ,