This is a copy of our Article that was featured in the Guernsey Press (28/02/2018)
GDPR / Data Protection Law and practical steps to be taken
New data protection requirements, both the EU’s GDPR and the new Guernsey law, and the fines that may be imposed have caused significant concern within organisations. There are some simple steps that can be taken towards compliance with the new requirements.
- Data Audits
The starting point – a list of personal data held within an organisation, answering the following:
- What types of personal data do we hold/process?
- Where do we hold it?
- Why do we hold/process it?
- Who can access/use the data?
- How long do we keep it for?
- Privacy Impact Assessment
This helps to determine what the risk of processing the personal data is and should contain:
- A description of the processing
- The need for the processing
- The risks posed is processing the data
- Whether processing complies with relevant codes
- Safeguards and security measures in place to protect the data
- Lawful processing
There has been a lot of talk about consent; the common misunderstanding is that consent is required for any processing of data. This is not true as there are other mechanisms that also result in processing being lawful – for example fulfilling a contract with a client.
This relates to the directors (or other governing body) of the organisation. They should review the output from the previous sections to understand the data processed by the organisation and risks associated with it. Governance should ensure that the “tone from the top” results in good data protection practice feeding down through the organisation.
There are two policies that an organisation should have relating to data protection:
- Data Protection Policy
- Data/Document Retention Policy
These are approved by the directors, driven by the data audit and privacy impact assessment, and set the high-level approach to data protection within the organisation.
- Processes & Procedures
The processes and procedures used by the organisation on a day-to-day basis should be reviewed and updated to reflect the policies. This means that compliance with data protection requirements becomes embedded in the practices of the organisation.
Training is important at all levels. All staff have responsibility for ensuring data is protected and should receive training. Directors and senior managers should have a greater level of awareness of the responsibilities of the organisation, whilst the data protection officer, or other responsible person, should receive detailed training on the requirements and their role.
Once all measures have been put in place go back over the steps and see whether further improvements can be made.
Measures taken to comply with data protection should be proportional to the business and the categories/volume of personal data held. If you need help, there is training available and consultants available to assist you. Nobody wants to be the first breach under the new law.