Practical Steps to Implement the General Data Protection Regulation Act
The EU’s General Data Protection Regulation Act (GDPR) is very important legislation coming into force on the 25th May 2018 designed to protect the data rights of all EU residents. It will affect every organisation and it is vital that every employer and employee familiarises themselves with the new legislation. Failure to adhere to these rules will result in heavy fines from the EU.
We have outlined steps below that can be taken by your organisation in order to comply with the GDPR in the most efficient way;
As many different people and teams in every organisation come into contact with data, it’s important to ensure that all decision-makers and members of the organization are aware that the law is changing and that they are ready for the impact and potential risks associated with the GDPR Act. There are webinars, events, and conferences devoted to this topic globally so that everyone can familiarise themselves with the changes before the 25th May 2018.
Auditing of Data
It is very important for every organisation to have a documented list of all 3rd party data that is held in the organisation. What personal data is held, where it came from, how it was collected and who has access to it are all questions that need to be answered. It is also a good idea to set a date for the collected data to be destroyed.
The Rights of Individuals
As the rights of every individual are greatly expanded and secured under GDPR, organisations must be able to demonstrate that it can respond to a data request within 30 days. Compliance requires that an organisation are able to demonstrate that they can;
- Confirm the identity of the individual and make available all personal data held in the organisation within 30 days
- Request the destroying of a person’s personal data
- Are aware of every employee that has access to an individual’s data
- In the event that there is a data breach in the organisation, the individual is made aware
Legal Standing for Processing Data
It is required by law that an organisation reviews their own processing of data regularly and identify and document the legal basis for each type. The organisation must ensure that no personal data is collected and retained beyond the minimum necessary time needed, that all data is solely retained only for the purpose for which it was collected and no personal data is given to any third party for purposes other than which it was collected.
Security & Data Breaches
A Data Breach can cause serious risk to an organisation in particular to its reputation, legal ramifications and financial problems so data security is a big part of GDPR and requires that stringent procedures are in place to detect, report and investigate Data Breach’s to include but not limited to;
- The encryption of personal data and implementing security measures
- The ability to restore the availability and access to personal data at all times
- The regular testing of an organisations security measures
- The notifying of individuals and data protection authority within 72 hours of a data breach
Appointing A Data Protection Officer (DPO)
It may be in some organisation’s best interests to appoint a Data Protection Officer to oversee the transition and maintenance of the GDPR. The role of the DPO is to ensure that compliance and accountability is held at all times, that an inventory of personal data is maintained, is up-to-date with data protection laws and assists with the relevant authorities on a regular basis.
Ability to Transfer Data
It is vital that all data that is collected and held by an organisation can be easily transferred or returned to the consumer. This data needs to be readily available at any time as it is within the individual’s rights to request same.
These are just some of the more important steps that every organisation needs to undertake in order to be ready for the new legislation and it will have a big effect on how business is carried out going forward.
For further information on the GDPR Act, please see www.dataprotection.ie/docs/GDPR/1623.htm