GDPR — Here’s my take on it
I am sure you have read loads of posts, guides and tweets regarding the new laws coming in to place on the 25th of May 2018.
Here is how we are tackling this as an agency.
The first thing I would say is DON’T PANIC!
There are lots of helpful resources out there to support you in preparing for the looming deadline. Take advantage of them.
I have spoken to many people recently and there seem to be 2 camps.
The Big Question
The big question everyone is asking…where do I start?
- Attend GDPR events and look at the Information Commissioner’s Office website. There is loads of information and templates to use
- Review where you are currently as a business
The first session
The first session gave us a general overview of the regulation, guiding us through the maze that is GDPR. Talking about the biggest changes which will take effect. Such as:
- It is still core principles that underpin how we collect, use, store and delete personal data
- New rights for individuals and their data have been introduced
- Details on the fines and that they are bigger
- Stricter consent rules
- The difference between Processor and Controller
The second session
In preparation for the second session (which was fast approaching), I had been focused on working through an internal audit of our systems.
The second GDPR session really focused on and drilled into the differences between Data Controller and Data Processor.
Data Controller — Decides the purpose and way in which the data is processed
Data Processor — Processes data on behalf of the Controller as defined.
Tracey from Law Point demonstrated how to work out in which situations we (as a company) are Data Controllers and Data Processors.
Workflows Are Key
The simplest way to work this out is to break down scenarios into workflows. The two that I have completed below are basic ones just to give you an idea.
User Role Workflow
One thing to bear in mind which has not come up in the data flows so far is that a Data Controller can also pass data to another Data Controller.
When you look at the different people you interact with you can very easily identify the role your company plays using these workflows. We have found that we are a Data Controller when it comes to Employee personal data but when working with clients we are the Data Processor holding their end customer personal data in most cases.
How We Are Tackling This
Here is the plan we are working to:
- Review and assess the ICO’s 12 steps to take - Preparing for the General Data Protection Regulation (GDPR)
- Review the documents and templates on ICO’s website
- Complete the review of all systems and remove any that are not required
- Complete an internal audit to identify the data you have, where you got it and why you need it
- Create GDPR data protection policy
- Confirm and document the procedures that are in place to detect, report and investigate a breach
- Review the ICO’s 12 steps to take to ensure these are all covered under our company policies
So How Do You Start?
To summarise here is where to get started:
- Get a plan in place (The ICO has a questionnaire that will help you work out your to do list as a data controller and a data processor)
- Remove what personal data you don’t need
- Where possible limit access (Some of the high-profile cases of Data Breach have been through employee credentials being compromised)
- Read up on GDPR at ico.org.uk, this will help when you have lots of questions to answer
Get in touch if you have any questions, I would be happy to answer them, if I can :-)