Start an internal GDPR project
Managing the process of achieving GDPR compliance requires a staff member with an eye for detail and senior enough to be taken seriously. There's a lot involved in the process, so some of this employee's existing duties will need to be reassigned to allow them to work on the GDPR process.
Probable areas of expenditure: GDPR consultancy/advice, IT network upgrades, software upgrades and operating system upgrades.
Understand the GDPR
Start by reading a high-level overview of the GDPR, like our GDPR Primer, to get a feel for the intent of the new regulation.
Once you know the basics, start to read around the GDPR in more detail. Try our detailed GDPR Guide.
The Information Commissioner's Office has a wealth of great information on the GDPR.
The full General Data Protection Regulation can be found here . We also really like the https://gdpr-info.eu/ site that has the GDPR arranged into sections for easier navigation.
Get professional help
The GDPR has many ramifications for every organisation and whilst it's possible to work them all out for yourself, getting expert advice will probably speed the process and give you a higher level of compliance.
Most small and medium sized organisations (i.e. SMEs) won't need to recruit or train their own Data Protection Officer (DPO), but some will. Read more about that in the 'When Is A DPO Required?' section of our GDPR Guide.
Audit where you are
The ICO has a great online GDPR readiness checklist you can work through to assess the current status of your organisation.
Check every hard-drive, spreadsheet, filing cabinet, desk-drawer and anywhere else where electronic or paper records of individuals' personal data could be hiding. See examples of what constitutes personal data here.
You need to keep paper copies of personal data secure, so ensure personnel data isn't, for example, kept in an unlocked filing cabinet in reception!
The security of your computers, your computer network and the software that runs on those computers are all major components of your GDPR compliance. Definitely seek professional help here.
Outsourcing your data-processing does not remove your responsibilities regarding the lawful processing of that data, so it's vital that any organisations that you share personal data with are also GDPR compliant. You will be co-liable for their errors with your data.
The GDPR prohibits transferring the personal data of EU citizens outside of the EU, unless certain criteria are met. The most likely place that will be happening in your organsiation are services like online marketing tools and online file storage, where the data you upload may be being stored on servers based in the US or other countries outside of the EU.
The other area where data may leave the EU is if you employ the services of call centres or have off-shored any of your manufacturing, book-keeping or other processes to Asia.
Decide on the new you
The scope of this will depend on what you found when you audited your business processes. For most small businesses and medium-sized businesses (i.e. SMEs) it will be a case of tweaking some processes to minimise personal data collected and then ensuring that data is disposed of at the right time. However, some businesses, particularly those who do a lot of profiling of individuals without their express consent (e.g. credit checking agencies, insurance analysts and indirect marketing companies) may find that fundamental changes are needed to their businessn to achieve GDPR compliance. In the worst cases this may even require some businesses to pivot to an entirely new business model.
Document the new versions of processes that were changed for compliance with the GDPR so that staff know what's expected now and put checks in place to ensure that employees don't fall back into old data-handling habits.
List out the processes that you are no longer doing at all and ensure that all staff are aware of these. Make it clear your orgainisation is committed to GDPR compliance.
Change the business
This is, without doubt, the most important factor in achieving ongoing GDPR compliance. It's vital staff understand your new business processes, know which processes can no longer be carried out and have a solid understanding of how to handle data securely and responsibly. And, that they stick to those processes and rules even when deadlines are looming. This requires a commitment from the top.
Your computers and your website are under constant attack from ever-evolving automated software via the internet. The only way for small businesses and medium-sized businesses (SMEs) to stay on top of this is to find a good I.T. company and pay them an ongoing fee to keep your infrastructure and software secure.
Your software audit probably identified a lot of areas where personal data can be gathered and where individual's data is stored insecurely. Contact the vendors of those software packages to get the software updated to fix those issues. Update all of your software to the latest versions and keep it up to date going forward.
Make sure filing cabinets and store-rooms that contain records with personal data are locked and that access to the keys is restricted and logged.
Make sure your process for handing requests from individuals for copies of their data, or removal of their data from your systems are ready and tested. Traditionally, many database-based software systems did not truly delete records behind the scenes, so ensure that yours do.
Ensure your processes for deletion of no longer required personal data are in place, running and auditted regularly.
Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).
We are not lawyers, always seek specialist GDPR advice for your organisation.
At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.