Following on from my initial post about what GDPR covers I thought it would be good to work through the basic requirements to make sure you are ready come the end of May.

GDPR

By failing to prepare, you are preparing to fail #

One of those usually annoying quotes, but in this case it does hold value.

Following on from my initial post about what GDPR covers I thought it would be good to work through the basic requirements to make sure you are ready come the end of May.

 

Understand your data #

The very first part of the process is to look at the data you hold as a company by way if an audit. Things we need to note here is,

  • What data are you collecting?
  • How are you collecting it?
  • Where is it/backups stored?
  • Are staff aware of the policies/proceedures around the use of personal data?

What are you collecting? #

People talk about 'Big Data' and gathering everything you can about your users. The reality is with the changes in regulations it may make sense to consider what information you actually need from your customers. The more data you hold, the bigger the ramifications are in terms of managing the data.

How are you collecting it? #

Make sure you using the correct opt ins on forms, remember they checkbox cannot be pre ticked or the question worded in a confusing way. The user has to consciously opt in to you using their data. It goes without saying that you should not be obtaining email addresses in an incorrect way from dubious bought lists or harvesting from the internet.

Where is it stored? #

Look at how you store your customers data. Is it held somewhere with limited access or can the whole organisation access it? Do you keep all your user data in one place and away from unsecure devices that could be lost or easily stolen.

Map your business processes and data stores and document this so you can clearly see you have all bases covered.

Back ups of customer data are included in the GDPR legislation, there will be cases where retrieving the data is an issue. The regulations state that you must take reasonable steps with regards to the available technology, cost of implementation and other technical measures.

  • Are staff aware of the policies/proceedures around the use of personal data?

The protection of personal data falls on all the people within an organisation. You should be documenting your audit and any associated activity such as a Business Impact Analysis, Privacy Impact Analysis or other risk management policies. You will need to show that you have a plan in place for deleting redundant information and reporting data loss or misuse.