GDPR Checklist – What you need to know and what steps you can make now

You may have seen several articles and news stories on GDPR but what actually is it? GDPR is the General Data Protection Regulation which comes into force on 25^th May 2018 and is a new EU directive on how businesses store, collect and protect data. This applies to any business that handles client data regardless of their size and requires all businesses to make sure they are compliant before this comes into force. Unfortunately, according to YouGov, just 29% of UK businesses have started preparing for GDPR and there are still a large portion who haven’t even heard of GDPR.

Clarke Williams believe that our clients should be armed with all the information they require to operate successfully so we are looking at GDPR, what this actually means for your business, what you can do to comply and what solutions can be put in place to further protect your business.

What is GDPR changing?

As mentioned above, GDPR is about regulating data – fundamentally, it is about how personal data for either employees, customers or prospects are collected, managed and processed.

GDPR introduces revisions to data control which are aimed at allowing individuals greater access and control of their data, this will allow you to:

• Have information on how your data is processed
• Request that all your personal data is erased by a data holder
• Easily transfer personal data between service providers
• Be provided with full information if your data has been breached

For Businesses GDPR also changes the way companies gain consent for personal information to be used and does away with the current mechanism of inactivity providing consent or automatic assumptions that consent has been granted. This is a key area that will affect most UK SMEs as 87% of current consent obtaining mechanisms are not valid under the new GDPR rules.

GDPR also introduces new areas of personal data to be protected such as genetic, cultural, economic and social information.

Why is this important?

Everyone within your organisation or company needs to know about GDPR and consumers also need to understand their new rights under this legislation. Business owner need to ensure they have given all employees clear guidance on the regulations and procedures that need to be in place and followed for due diligence. Saying ‘I wasn’t aware’ is not going to be a valid excuse if audited.

GDPR is not just about obtaining consent and processing data it also covers protecting personal data that you store or transfer to a third party. The new legislation will enforce even stricter rules for organisations to ensure they are taking all reasonable precautions to protect against data theft, loss or any other breach. Clear evidence must be shown that you have carried out due diligence in regards to security software, disaster recovery, back office systems, third party providers and physical security.

Any and all data breaches will also need to be reported to the ICO within 72 hours if they are found to be non-compliant with data protection and processing rules they could also be fined up to 4% of their turnover.

How can I prepare for GDPR?

Preparing for GDPR means understanding how it might affect your business and you can start by asking yourself 6 simple questions:

1. What data do I have and why do I have it? – Have you obtained consent for this information to be stored and explained what you are going to do with that data? Have you obtained consent for this to be passed onto a Third Party and explained why this has been transferred?
2. Do I manage my data in a structured way? – Are there clear written procedures in place for handling data and how this is stored? Does everyone in your organisation understand what they are collecting and why they are collecting it?
3. Who is responsible for my data? – If you have transferred any data to a Third Party for storage or processing is it clear in your contract who is responsible for any data theft, loss or breach? Are you aware of what procedures the Third Party has in place to protect the data and have you carried out adequate due diligence.
4. Is my data protected? – Do you have adequate software security (encryption, firewall etc) in place to protect your data? Is access to data restricted within your company, are only key personal able to access personal data?
5. Are my employees aware of the requirements? – Create a security aware culture within the organisation, every staff member should know what data you store, why it is stored and understand the implication of any data breach. Do you operate a clear desk policy? Do your employees have access to mobile phones while handling any data?
6. Am I prepared for the worst? – Do you have procedures in place if you suffer a data theft or loss? How will you notify affected individuals? Can I comply with a request to delete an individuals data?

These questions should start you thinking about each area of your business and improve your understanding of what you have and why you have it. This should put you in a better position to run through the Information Commissioner’s Office (ICO) checklist on preparing GDPR, which includes (a full summary of the checklist can be found here):

1. Awareness: Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information You Hold: Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communication of Privacy Information: Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ Rights: Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format..
5. Subject Access Requests: Update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Legal Basis for Processing Personal Data: Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent: Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
8. Children: Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data Breaches: Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data Protection Officers: Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International: If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

How can I protect myself further?

Even if you have done everything possible to comply with GDPR you may still suffer a data theft, loss or breach which is unavoidable. The FSB recently advised that two thirds of its members had been a victim of a cyber attack in 2016 and that 99% of UK SMEs listed the internet as highly important to their business. Unfortunately, online threats are evolving, with data breaches, distributed denial of service (DDoS) attacks and malicious software (including malware and viruses) becoming more complicated and harder to protect against.

Thankfully there are solutions available to help protect your business if the worst does occur to your business. Many insurers now offer Cyber Insurance which provides coverage in the event of a data breach and can also extend to cover damages to your company’s reputation following a breach. Some policies will also provide expert advice on handlings data breaches and crisis management, helping your business to get ahead of an issue and manage its reporting successfully.

There are many different policies out there and it can be confusing as to which one is best suited for your business. Our Cyber experts are available on 01732 252898 to discuss your business and provide expert advice on what we feel is the best solution for your unique needs.