16 February, 2018
This week marks 100 days to go until the coming into force of the General Data Protection Regulation in the United Kingdom. The ICO has confirmed that there will be no "grace period" come 25 May; GDPR was published in 2016 and so we are in the transition period now. Hopefully by now you will have gained an understanding of what is changing, but a lot of organisations are wondering where to start in their preparations for compliance.
With 3 months left to prepare, you have time enough to get ready - provided that you do it right! Whilst it may seem a daunting process for your organisation to go through, the only way to eat an elephant is one bite at a time. The best place to start is to take a look at some of the information available on our website here and on the ICO's website here. The ICO has helpfully published a useful template for you to use when carrying out your data mapping/data audit exercise - which is the first job on the list for your preparations.
You will need to go through all of your records, trawl through the old files hidden away in the basement, check all the post it notes down the back of your cabinets and sift through your IT systems, including your CRM system, mailing lists, local files and cloud storage directories. The object here is to establish exactly what personal data you hold (remembering that personal data can be anything that identifies a living individual - and is not limited to people's names, addresses and photographs). Once you have worked out what personal data you are processing, and where it is stored, the next stage is to note the purposes for which you are processing that personal data, and the lawful ground or grounds on which you are processing it - be that to fulfil a legal obligation, as part of the performance of a contract, or consent.
Where you are relying solely on consent to process any personal data, you will need to establish when that consent was obtained, whether it meets the requirements to be valid consent under GDPR, and if not, whether you can upgrade that consent or if you will need to stop that processing.
Once you have completed your data mapping exercise, you should have a clearer picture of where the gaps might be in your compliance plan - does your retention policy deal with the disposal of all of the types of personal data that you hold; does it provide for periodic reviews and file-thinning after certain lengths of time? Do you have privacy notices for each category of data subject (employees, customers, board members and so on), to let them know what personal data of theirs you hold, and why? Is all of the personal data you process stored securely - does your business insurance include cyber insurance (and if not, how much would it cost you to take out a policy)?
The most important thing to bear in mind when carrying out your preparations for GDPR is that, nine times out of ten, it is not your directors/trustees/IT manager who collect and process personal data, it is your frontline staff, your volunteers, your reception staff. Therefore, those people are the ones you should talk to when establishing the life cycle of personal data that comes into your organisation, from the first phone call, to the deletion of records in accordance with your retention policy.
Similarly, it is your frontline staff who are the ones who need to have the keenest understanding of what is expected of them, and the importance of getting it right. Once you have prepared all of the documents that make up your compliance plan, don't just put it in a cabinet or share it with the board and then forget about it - you will need to provide your staff with sufficient training on it to make sure that they put it into practice.
If at any point in your preparations you are feeling overwhelmed or that you need some further guidance, or if you would like some assistance with the drafting of your compliance plan documents, or the training of your staff, feel free to get in touch with me at Daniel.firstname.lastname@example.org or on 01254 222451. We offer a range of fixed fee GDPR support services and would be happy to discuss how best we might be able to support your organisation in its preparations for May 2018.