What to consider when preparing for GDPR

Gary Shipsey, Managing Director of Protecture, is approaching 13 years of practical experience turning information law into practice. Gary is co-author of the Fundraising Regulator’s Guidance “Personal Information and Fundraising: Consent, Purpose and Transparency” and regularly speaks and advises on all things GDPR, data protection and privacy related.

 

GDPR. The four letters which will change the way organisations handle personal information.

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, building upon the current Data Protection Act 1998. It requires you to be truly accountable for your management of personal data. It also requires genuine transparency with individuals and for you to make informed, risk-based decisions that account for your needs and the potential impact on individuals.

Readiness Assessment

First, you should assess your current position: you may have policies, procedures and practice that already meet the updated requirements of GDPR in some areas. An initial assessment will give you a clear scope of work required to improve: both those areas that need minor updates, and those which need more work and might take more time.

To help you prepare for 25 May, our Trusted Supplier Protecture has broken GDPR down into three sections: accountability, transparency and security.

Accountability

The GDPR requires you to be truly accountable for the management of personal data. Do you need to appoint a Data Protection Officer (DPO)? Do you have GDPR-ready policies and procedures? Who needs training and to be aware of their responsibilities under GDPR? True accountability creates a solid foundation for your data protection journey to GDPR maturity.

A key part of accountability is the Record of Processing Activity (ROPA). Creating your ROPA will give your organisation an overview of why it processes personal data the lawful basis, and the Data Subjects you engage with. It will underpin your approach to risk-based decision making and assist you in meeting individuals’ rights and your transparency obligations.

Transparency

It is crucial you provide more information to individuals about your handling of their personal data.

To do this, you need to know a great deal about the personal information you are responsible for. The first step to achieve this is through a data mapping exercise. This should establish every point at which your organisation collects personal data. Next, you should document where that data is stored, whether it be in a CRM system, network drive or filing cabinet. Finally, record which internal and (if any) external organisations process the data.

Next, you need to define a privacy information strategy. This should outline how you will provide the additional privacy information required by the GDPR, and do so in a way this is accessible and understood by the different types of individuals you engage with.

Finally, you should assess the relationships you have with other organisations – whether these are formal contractual obligations, data sharing arrangements, or other partnerships – and prioritise for review those that involve the greatest volume and/or sensitivity of personal data.

Security

Once both accountability and transparency have been addressed, you will be able to look at security. You need to assess your data stores (CRM, filing cabinet, etc) and consider the security measures in place.

There are three situations that need to be considered, when data is:

  • static – not in use
  • being used
  • in transit – being shared or moved

Assessing your current security situation – based on your informed understanding of which stores of data, in which states, have the greatest value, and pose the greatest risk to your organisation – will enable you to quickly establish any significant areas of risk and start taking actions to address them.

Key steps to take today

  • Raise awareness throughout your organisation
  • Assess your current position – to establish the scope of work ahead
  • Allocate internal resource and accountability
  • Define a clear plan, to prepare for the 25 May and beyond

More from Protecture

Protecture are a Trusted Supplier of NCVO and provide a subscription-based service to provide you with the tools and guidance on the road to data protection maturity. For more information on their subscriptions, see their Trusted Supplier page.

Gary also presented a webinar on getting ready for GDPR for us,  you can watch the webinar recording.

This entry was posted in Practical support and tagged . Bookmark the permalink.

Comments are closed.