16i, a Cheltenham-based digital design agency, has outlined what businesses need to be doing now if they want to be ready for the incoming General Data Production Regulation (GDPR).
Almost all businesses will have to take action to ensure they comply with the legal requirements around people’s personal data, with GDPR set to come into force in May 2018.
Alex Clough, managing director of 16i, comments: “GDPR, at the moment, is something that businesses may have heard of, but not actioned. By May, however, businesses will need to have acted to ensure they’re ready to meet the core requirements of the legislation. We hope to help businesses understand the principle of what they need to do to achieve this.”
Make the team aware
While GDPR has received a lot of press coverage, not everyone is aware of the changes. Businesses need to make sure to raise the topic with their team to ensure they know about both the risks – and the opportunities.
Review contracts to see which ones would need to be amended
GDPR will require suppliers and customers to review supply chains and current contracts, so renegotiations may be required. Equally, commercial terms will inevitably have to be revisited given the increased costs of compliance and higher risks of non-compliance.
Identify data flow
An important step towards compliance is to review an organisation’s data flow. This allows firms to identify the location, access and ownership of data; whilst classifying the type of data an organisation holds.
Key questions that every organisation should address include:
- What ‘personal’ data is being processed?
- Are existing processing methods compliant?
- Where is data being held and how does it flow through the organisation?
- Are there adequate controls in place surrounding movement and storage?
- Who in the organisation owns the data?
- Who can access the data?
- Who, if anyone, is it being shared with, both internally and externally?
Revisit data sharing protocols
Most organisations carry out some form of data sharing, typically between either group organisations or with external third parties. However, if the data being shared is ‘personal data’, additional steps will need to be taken to ensure individuals are provided with all the relevant information (relating to how the data is shared) at the right time.
Clear out data
Once data flows and protocols have been assessed, any personal data which is no longer required should be cleared out. The less personal data held, the easier compliance will be (although records should be made of which data was removed and why).
Update data collection methods
Finally, and at a very basic level, look to update data collection methods. Remember, any changes should ensure that the individual is informed (e.g. is aware of who, when, how and what the personal data is intended for), that consent has been freely given, and that it is a result of positive opt-in (e.g. no pre-ticked boxes or default options have been used).