- Project plans
- Project activities
- Legislation and standards
- Industry context
Last edited 26 Jul 2019
Plan of action to achieve GDPR compliance
With the General Data Protection Regulation (GDPR) just around the corner, companies must start pushing through necessary changes early to achieve compliance in time for its arrival, according to Paula Tighe, Information Governance Director at leading law firm Wright Hassall.
It’s crucial that companies understand how much work is involved during the preparation stages of GDPR. The basic principles for every business will be the same and it starts with a comprehensive plan agreed between the people who will need to drive through the changes.
 Raise awareness and register it
First, ensure all decision makers in your organisation understand that changes and that non-compliance is serious. Start recording the process of meeting the regulatory requirements; this will help mitigate any risk of incurring penalties for non-compliance.
Rather than stopping you from doing things, GDPR is about improving standards by encouraging organisations to make existing procedures more efficient. Review your existing digital and hard copy format privacy notices and policies; are they concise, written in clear language, easy to understand and easily found?
Finally, ensure this key information is clearly communicated to your data subjects, detailing how individuals can complain to the Information Commissioner’s Office if they think you’re doing something wrong.
 Rights of the individual
Individuals will have more control over their personal data under the GDPR. Check your procedures and amend if necessary, detailing the format in which you will provide data, how you would delete it and how you will correct mistakes.
Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures in place will go a long way towards heading off any future problems with the regulator, regardless of complaints or investigations. Remember, if your organisation handles personal data correctly under the current Data Protection Act, the switch to the GDPR should pose no real issues.
 Prepare for personal requests
If an individual submits a subject access request, to see what information you hold on them, you cannot charge them and you must comply within a month. You can refuse to comply if you think the request has no merit — but you must tell them why and how they can complain to the regulator.
 Never assume you have consent
Individuals must give clear consent for their data to be used, but must be allowed to revoke consent easily, at any time. If you change the way you want to use their data, you must obtain a new consent.
 Keep reviewing and keep recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA) before beginning the project.
 Make someone responsible and keep it up
It’s not just electronically-held data that can pose a problem; you also need to consider written records, which are also covered by the regulations — ensure all your staff are trained on the correct handling of personal data.
Record how you handle each step of the process in your Data Register. In the event of a complaint or a data breach, it will be those organisations unable to demonstrate what they did to assess risk and mitigate it that will suffer.
This article was originally published in AT Journal Winter ed. 124.
 Related articles on Designing Buildings Wiki
Featured articles and news
Love them or hate them, they are popping up everywhere.
The initiative to enhance the environment continues.
Could underused community spaces offer an alternative to working from home?
Keeping workers and workplaces safe in the United States.
A history lesson in geographic information systems.
A low tech, easy to use method of extinguishing small fires.
How can these valued spaces be reused?
Partnership avoids the need for listed building consent.
Connecting building design from inception to completion to operations.
Gregor Harvie predicts interoperability will be construction’s Uber moment.
Expert commentary and insight.
Guidance offered for stained glass window maintenance.
Define need before determining viability.