GDPR planning will be ongoing

Businesses, charities, sports clubs, government departments and voluntary organisations are continuing to prepare for GDPR, says Feargal McCormack.

With only weeks to go until the General Data Protection Regulation comes into force (25 May 2018), FPM clients are reviewing and updating their data protection policies and procedures.  What is clear from this exercise is that compliance is not a question of meeting a once-off deadline. Rather, it is a continuous process with data protection needing to be built into decision making and planning across all functions and monitored and refreshed on an ongoing basis.

The purpose of GDPR is to strengthen the privacy rights of European citizens by making organisations more accountable for how they collect, store, protect and use personal data. Businesses, charities, sports clubs, Government departments and voluntary groups all come under GDPR if they keep or use personal information, regardless of whether this data is held on computer or in structured manual files. Examples include employee records, customer databases, application forms, email and marketing lists, contracts, suppliers and websites.

GDPR – an ongoing process

While there has been much talk about the 25 May 2018 deadline, organisations need to focus on the fact that maintaining GDPR compliance will be a continuous process. Awareness is critical. Areas to focus on include:

• Accountability: In order to demonstrate GDPR compliance, you will need to be able to explain why you collect data, how you obtain it, how long you retain it for, whether it is shared with third parties, where it is stored and how it is secured.

• Transparency: You must be open, honest and transparent in your communication including using language that is clear and easy to understand.

• Personal privacy and subject access requests: GDPR gives individuals rights over their personal data including the right to have their data corrected or deleted. You need to be able to cope with these requests in a timely fashion.

• Legal basis of obtaining data: Examples of a legal basis include data obtained for the performance of a contract, data necessary to protect a vital interest, data obtained by consent, or in public interest, or to meet regulatory requirements or to meet another legitimate interest, Where you rely on consent as your legal basis, you need to be able to show that you obtained it appropriately and you will need to have an audit trail.

• Security: Your data security procedures must including addressing vulnerabilities and cyber risks on an ongoing basis.

• Data protection officer: Where you are required to appoint a data protection officer, you must make sure that this person has the knowledge and authority to carry out their duties effectively.

• Data breaches: Where data breaches occur, you must be able to detect, investigate and report them in a timely manner.

• Training: Staff should receive appropriate data protection training with regular updates to refresh awareness and knowledge.

GDPR will continue to be an important focus for organisations well beyond 25 May 2018.

Feargal McCormack l Managing Director
f.mccormack@fpmaab.com