GDPR – under a month to go. Are you ready?

GDPR

With less than a month to go now before GDPR comes into force on 25 May 2018, we are busy helping clients with their compliance. GDPR requires us all to demonstrate our compliance rather than assuming it in the absence of any complaint or fines.

GDPR Compliance

In order to demonstrate our compliance there are various actions that we can take:

  • Undertake a data audit – GDPR requires us to give our staff, customers and contacts much more information in relation to their data. We cannot do this unless we understand what data we hold, why, who sees it, where it is stored and how long we keep it. An audit is the most appropriate way to truly understanding our data.
  • Prepare your record of processing activities – GDPR requires all businesses to have such a record. This is an internal document which sets out in broad terms the processing activities you undertake. It is a requirement for all businesses with over 250 employees or which process special categories of personal data. Remember that this includes medical data and so even small businesses may be caught if they have any employees with medical issues.
  • Implement Privacy by Design measures – GDPR requires us to consider data minimisation at all times – what do we need to keep and what can we get rid of, how can we minimise the data that we hold?
  • Conduct Impact assessments if required – where you are considering a change to your data processing activities, either by implementing a new system, or outsourcing a business function, you must carry out an impact assessment.
  • Review and update current policies and procedures, and ensure that they are put into practice – any policy created under the 1998 Act will need to be updated in line with GDPR obligations. We must give data subjects much more information than we have ever done – this will mean a review and update of your employee handbook, your privacy policy online, your data protection policy (now called Privacy Standards) and your terms and conditions.
  • Review all data processing contracts to ensure that they are compliant going forward – GDPR introduces new liability for data processors and their contracts must be in writing and be clear as to the precise scope and nature of the processing tasks that you are asking them to undertake.
  • Train staff and engender a new culture which looks at data protection compliance as a part of our daily business life.

If you require more help with your GDPR compliance, please contact us.

Tidman Legal is a firm of specialist intellectual property and business lawyers based in Edinburgh.