In the full text of GDPR there are 99 articles stating the rights of individuals and obligations placed on organizations covered by the regulation. With the GDPR already in full swing, as of 25th May 2018, there are several areas of your business that could need urgent re-thinking. Individuals, companies, and organizations that are either ‘controllers’ or ‘processors’ of personal data are all subject to the GDPR, which means, if you haven’t already, now is a good time to start ticking off your GDPR compliance checklist.
We’ve listed the top five areas of your business under the scrutiny of the new data protection laws. Covering these areas will help to keep your data in tip top condition as you move forward.
1. Explicit consent when collecting data
The revised GDPR compliance checklist is seeing companies eager to become compliant. Among its clauses is a keen focus on the ethical use of customer data. The 2018 conditions for consent require all EU companies to request the permission from its customers, prior to collection, usage and/or distribution to third parties. Once agreed, the data subject has the right to withdraw consent at any time. Similarly, an individual can also request to have all their data erased by an organization, in what has been officially termed ‘The right to be forgotten’ (Art. 17 GDPR).
2. Choosing what to store
If, for instance, your customers or employees are under a five-year contractual data agreement, then it is a company’s legal duty to remove all data beyond this time-frame. Keeping to these rules can be a long-winded process, which means the most flexible and transparent storage solution will be your best friend when it comes to managing data.
3. Correct storage
The ‘right to be forgotten’ means companies should be able to search, change or delete data on demand, or as soon as a request is made by a consumer to be erased from your system. Where you store your personal data will play a huge part in its security and ease of access. Whether you choose to use cloud storage, on-premises (public or private), or a hybrid approach – each will have its drawbacks. You should look out for data encryption at this point, as encrypting data can make unauthorized access more difficult.
GDPR compliance checklist requires you to have a granular knowledge of the personal data you hold and why you’re holding it – and requires you to destroy any data you no longer have a legal or contractual obligation to hold. On-premises storage, or storing files locally on a server or PC, means that the risk of losing, breaking or damaging the device is higher. What’s even worse are the fines and sanctions for lost personal data that cannot be recovered or protected – up to €20 million or 4% of annual turnover.
On the other hand, data stored in the cloud can be accessed from anywhere at any time and is regularly and securely backed-up. Meaning your data is adequately safeguarded to be compliant with GDPR.
4. Make information easier to find
When the time comes to start organizing an information audit, you’ll need to be ready and upfront about the data you hold, and who you share it with.
By law, as part of the GDPR compliance checklist, all EU companies must maintain records of their data processing activities. For example, if you have inaccurate personal data and have shared this with another company, you will need to make the inaccuracy known so all records are kept up to date and compliant. Unless this information is documented and easily found – you’ll have a tough time sifting through years of data entries in a hurry. In fact, the GDPR accountability principle will make documenting the processing of personal data a necessity rather than a choice. It requires companies have effective policies and procedures in place and show how they comply with the data protection principles.
5. Thinking beyond your GDPR compliance checklist – privacy by design
Privacy by design is the method of building data security into new projects, processes, and technology. This way compliance becomes a way of working rather than an after-thought.
Although not a listed requirement of the new GDPR legislation, it’s a no-brainer for companies who want to get compliant and stay that way.
The benefits of integrating ‘privacy by design’ early on in your business are huge. When potential problems are identified and solved early, companies are less likely to breach the Data Protection Act, and organizations gain an overall awareness of privacy and data protection.
In any company’s lifecycle, there are a few key moments to introduce data compliance or ‘privacy by design’.
- When building specialized IT systems for storing or accessing personal data
- When you decide to use data for new purposes
- If you develop legislation, policy or strategies that have privacy implications.
Fusing privacy into the core structure of your business is vital if you’re going to build inherently secure systems and processes, rather than bolting protection on reactively.
How can harmon.ie help your business?
Driving a unified data management system throughout your business is tricky and can take a lot of energy from your resources. Which is why at harmon.ie we’ve created a cloud-based solution that helps you organize documents and emails intelligently by topic – the same way your brain naturally processes information. This not only helps to make data more accessible to employees, but also ensures your information is easily retrieved when it comes to compliance audits.