Plan of action to achieve GDPR compliance
With the General Data Protection Regulation (GDPR) just around the corner, companies must start pushing through necessary changes early to achieve compliance in time for its arrival, according to Paula Tighe, Information Governance Director at leading law firm Wright Hassall.
Contents |
[edit] Introduction
It’s crucial that companies understand how much work is involved during the preparation stages of GDPR. The basic principles for every business will be the same and it starts with a comprehensive plan agreed between the people who will need to drive through the changes.
Remember, GDPR applies to all organisations who obtain, process and use data within the EU - the UK’s decision to leave the EU has no bearing on the new ruling.
[edit] Raise awareness and register it
First, ensure all decision makers in your organisation understand that changes and that non-compliance is serious. Start recording the process of meeting the regulatory requirements; this will help mitigate any risk of incurring penalties for non-compliance.
Known as the ‘Data Register’, this record will show what data your company currently holds and your reasons for processing it, helping you comply with the new accountability principles of GDPR.
Rather than stopping you from doing things, GDPR is about improving standards by encouraging organisations to make existing procedures more efficient. Review your existing digital and hard copy format privacy notices and policies; are they concise, written in clear language, easy to understand and easily found?
Finally, ensure this key information is clearly communicated to your data subjects, detailing how individuals can complain to the Information Commissioner’s Office if they think you’re doing something wrong.
[edit] Rights of the individual
Individuals will have more control over their personal data under the GDPR. Check your procedures and amend if necessary, detailing the format in which you will provide data, how you would delete it and how you will correct mistakes.
Individuals also have the right to have their information erased and the right to be forgotten. You must be able to prove that you have a process in place to comply with such a request.
Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures in place will go a long way towards heading off any future problems with the regulator, regardless of complaints or investigations. Remember, if your organisation handles personal data correctly under the current Data Protection Act, the switch to the GDPR should pose no real issues.
[edit] Prepare for personal requests
If an individual submits a subject access request, to see what information you hold on them, you cannot charge them and you must comply within a month. You can refuse to comply if you think the request has no merit — but you must tell them why and how they can complain to the regulator.
For SMEs, it will be more important to show a willingness to comply by trying to implement all the necessary steps and creating a data register, than to be fully compliant in May 2018.
[edit] Never assume you have consent
One of the trickier areas of the new regulations is handling consent for personal data to be captured and used for more than just contact.
Individuals must give clear consent for their data to be used, but must be allowed to revoke consent easily, at any time. If you change the way you want to use their data, you must obtain a new consent.
[edit] Keep reviewing and keep recording
Where data processing could pose a significant risk to individuals because of the technology being used, or the scale of the processing, you should undertake a Privacy Impact Assessment (PIA) before beginning the project.
These assessments will help you and the regulator decide the likely effects on the individual if their data is lost or stolen and should form part of your ongoing processes.
[edit] Make someone responsible and keep it up
If you routinely monitor or process personal data on a large scale, you should appoint a data protection officer who understands the regulations and how best to drive your data privacy processes.
It’s not just electronically-held data that can pose a problem; you also need to consider written records, which are also covered by the regulations — ensure all your staff are trained on the correct handling of personal data.
Record how you handle each step of the process in your Data Register. In the event of a complaint or a data breach, it will be those organisations unable to demonstrate what they did to assess risk and mitigate it that will suffer.
Organisations that can prove they have made an effort to comply, even if they are not fully compliant with every aspect of the GDPR from the word go, will do better.
This article was originally published in AT Journal Winter ed. 124.
It was written by Paula Tighe, a qualified data protection professional.
--CIAT
[edit] Related articles on Designing Buildings Wiki
Featured articles and news
A change to adoptive architecture
Effects of global weather warming on architectural detailing, material choice and human interaction.
How big is the problem and what can we do to mitigate the effects?
Overheating guidance and tools for building designers
A number of cool guides to help with the heat.
The UK's Modern Industrial Strategy: A 10 year plan
Previous consultation criticism, current key elements and general support with some persisting reservations.
Building Safety Regulator reforms
New roles, new staff and a new fast track service pave the way for a single construction regulator.
Architectural Technologist CPDs and Communications
CIAT CPD… and how you can do it!
Cooling centres and cool spaces
Managing extreme heat in cities by directing the public to places for heat stress relief and water sources.
Winter gardens: A brief history and warm variations
Extending the season with glass in different forms and terms.
Restoring Great Yarmouth's Winter Gardens
Transforming one of the least sustainable constructions imaginable.
Construction Skills Mission Board launch sector drive
Newly formed government and industry collaboration set strategy for recruiting an additional 100,000 construction workers a year.
New Architects Code comes into effect in September 2025
ARB Architects Code of Conduct and Practice available with ongoing consultation regarding guidance.
Welsh Skills Body (Medr) launches ambitious plan
The new skills body brings together funding and regulation of tertiary education and research for the devolved nation.
Paul Gandy FCIOB announced as next CIOB President
Former Tilbury Douglas CEO takes helm.
UK Infrastructure: A 10 Year Strategy. In brief with reactions
With the National Infrastructure and Service Transformation Authority (NISTA).
Ebenezer Howard: inventor of the garden city. Book review.
Airtightness Topic Guide BSRIA TG 27/2025
Explaining the basics of airtightness, what it is, why it's important, when it's required and how it's carried out.
Comments
The article offers a comprehensive guide for organisations navigating through the complexities of GDPR. However, achieving compliance is not just about understanding regulations; it’s about embedding best practices into the organisational culture. Transforming intricate industry-specific regulations into user-friendly workflows, producing relevant documentation to safeguard from potential non-compliance risks.