As Comsure prepares for its second 2017 GDPR workshop on the 19^th October (click here to book), I thought I would list Comsure’s top tips highlighted by speakers to ensure you are fully prepared for when the GDPR implementation date arrives.

1. Get fully acquainted with GDPR principles and requirements

Before embarking on any change management programme, you must have a good understanding of GDPR principles, your obligations around them, and whether your current policies, processes and data require any changes.

Take the time to review the information available, or engage a third party, to help you get up to speed with your GDPR obligations. Whichever option you take, ensure you continue to educate yourself as the landscape changes and further guidance is published. Although you may seek help from third parties, your responsibilities cannot be outsourced, so remaining up-to-speed on your obligations is essential!

2. Put a comprehensive plan in place

A clear plan will provide you with a systematic framework for achieving GDPR compliance within the necessary timeframe. At the very least, your GDPR readiness plan should include:

1. A systems audit;
2. A data audit;
3. A gap analysis;
4. An implementation plan; and
5. A post-implementation review.

The depth and complexity of the plan will depend on the volume of data you hold, your legal basis for holding it and the size of your organisation. You should also include an assessment of the resources available to dedicate time to this project and their skills and experience.

Don’t underestimate how onerous the planning and assessment phase can be, particularly if you have left yourself limited time to implement the necessary changes.

3. Don’t play hide-and-seek with your data

It’s essential to know where and how your data is being stored and who has access to it. If you use any third-party systems to hold, collect or process data, you need to establish and document their security controls, accessibility policies and the location of their servers.

Providers of data management and processing systems are likely to also be in the process of making their own changes for GDPR compliance so speak to them about how they are adapting and what assistance they can provide.

4. Identify your legal basis for holding or processing personal data

Without a firm grasp of your legal basis for holding or processing personal data, you cannot effectively audit the compliance of your current data and processes.

Remember, there are six legal grounds for processing personal data. A common misconception is that consent is required in all instances where personally identifiable data is being processed. While consent is one of the legal grounds for processing, it is not a requirement in every case, as long as you can demonstrate that one of the other legal grounds apply.

5. Delve into your data fields

Each data field needs to be audited against a range of criteria to determine compliance with the forthcoming regulations. For each data field, you should consider:

1. The number of records involved;
2. The individuals who have access to the data;
3. Whether the data is deemed to be sensitive; and
4. The legal basis for processing.

You may also need to conduct a data cleanse or anonymise legacy data ahead of GDPR implementation, which could be a time-consuming exercise.

6. Fit-for-purpose policies

GDPR introduces new rights for individuals to be informed of the information companies hold on them and how they process it. This information should be provided when the data is first obtained, or within a month if the data is not provided directly by the individual.

As a result, all notices and privacy policies will need to be updated to meet this new requirement. If you use online tools to collect personal data you may also need to change the way you present declarations and obtain consent.

7. Provide the right information and obtain informed consent

Consent must be freely given, informed and unambiguous, making this one of the fundamental changes to current data protection legislation. You also need to keep appropriate records to prove that you have obtained consent.

‘Freely given’ consent sees the end of pre-checked tick-boxes as the ICO does not believe that a failure to opt-out constitutes valid consent as individuals must have genuine choice and control.

Obtaining informed consent comes down to providing data subjects with clear information about why you require their information, how it will be processed and their right to withdraw consent as part of your disclosures or privacy policies. The wording you use also needs to be clear and unambiguous, with the process for obtaining consent separate from any other terms and conditions.

8. Retain personal information only for as long as necessary

One of the core principals of GDPR is that personal information is kept in an identifiable format for no longer than necessary. Although no set timeframe is given, you should endeavour to delete or anonymise personal data as soon as you have used it for the specified purpose for which it was collected.

For marketing messages, you will need to define how long consent lasts and ensure you have appropriate systems in place to enable you to refresh consent or remove lapsed contacts.

9. Know what to do if you receive a data access request

Individuals will have the right to request information on the personal data companies hold on them, the purpose of any processing, the length of storage and to whom it has been disclosed to. Under GDPR you will be required to provide this information without delay and have a maximum of one month to comply. You’re also no longer able to charge a fee for providing this information. As a result, policies and procedures will need to be updated to reflect your new obligations, with appropriate training in place to ensure all staff are made aware of the new requirements.

10. Don’t assume data breaches won’t happen to you

The most common cause of data breaches is a human error, so it’s essential that you’re prepared if the worst does happen. If there’s a breach of personal data, whether it involves an unauthorised disclosure, loss or alteration, the data controller must inform the supervisory authority within 72 hours. So, staff should be fully trained on what to do in the event of a breach, with the procedures reviewed annually to ensure they consider any changes to the data being held and the processes around them.

For more information on GDPR and how Comsure can help you, please contact Mathew at mathewbeale@comsuregroup.com