Call Us Today   01622 763355   info@allteks.co.uk

IT and GDPR: What Areas Must Be Covered

With less than 3 months to the implementation of the EU’s General Data Protection Regulation (GDPR), IT companies, data processing firms, and other businesses, in and outside of the EU territory are taking stock of their level of compliance with the regulation before the D-day rolls in. This self-check is important for every organisation, so they won’t be a victim of the strict sanction awaiting violators of the new regulations. Proactive steps need to be taken in order to be sure if all important aspects of the GDPR have been covered so as to guide against any supply chain breach that could have serious financial and reputational consequences for your business.

The EU’s General Data Protection Regulation (GDPR) is a product of four years efforts by the EU to improve data protection compliance, and the implementation will come into effect from May 25, 2018. GDPR will replace the current UK Data Protection Act of 1998 which was enacted following the 1995 EU Data Protection Directive. This new regulation has extended obligations to cover “unforeseen areas” as well as extension to additional territories not previously covered by the old regulations.

Given the expanded territorial reach of GDPR and the additional obligations it places on different actors within the data chain, businesses need to start reviewing their data protection policies and technology to check their level of compliance. Business owners should reach out to their local regulatory body or trusted consultants for advice on areas they must cover before the commencement of the regulation.

If your organisation operates in the UK or you process data of subjects residing in the EU territory, we aim to share with you key areas that must be covered before the May 25 deadline. This awareness can come handy for you as you tidy up some of the remaining loopholes. Here are some of the things you should check out to be sure you’re set to hit the ground running at the commencement of the regulation.

  1. Be Sure You Have a Data Protection Officer

Although the appointment of a Data Protection Officer (DPO) is not mandatory for all organisations, it is one of the key areas you need to look into before the D-day. Data protection experts have recommended that companies should consider hiring a data protection officer. Taking such a decision could be beneficial in many ways. They will be there to help you take proactive and prompt actions on the data in your domain, encrypt it, and keep them up to date in line with your security solutions. Just make sure you engage an expert who understands the nitty-gritty of data protection.

  1. Screen and Understand the Present Status of Your Data

If you don’t want to be hit by the regulators’ hammer, it is important that you clean up your existing data to be sure they are compliant with GDPR requirements. It is imperative that you screen the data so you can understand your present status. The screening should involve providing answers to critical questions such as: What kind of data do you have? Where is the data coming from? Who is it about? What do you plan to do with it? Why do you need it? Where is it stored? Who are you sharing it with? Who is in charge of the updating requirements? How long will you be keeping it? When do you intend to discard the data? And lots of other thought provoking questions. Until you’re able to provide answers to these factual and crucial questions, you may not be in a position to meet up with the requirements of the regulation.

  1. Documentation and Accountability

Greater attention must also be paid to the issue of documentation. GDPR’s accountability principle requires that organisations maintain records of their activities. It is a way of ascertaining the protection of rights of the individual data subjects. Documentation could also provide sizeable evidences in case of inappropriate sanctions from the regulatory body.

  1. Be Clear about Issues of Consent

Obtaining the consent of data subjects is crucial to meeting the GDPR compliance. The GDPR rule states clearly that companies should write their “consent request”in clear and plain language thatis not wrapped in unintelligible terms and conditions. The consent request should be separated from any other terms. It is also important that you are honest in your consent request by being sure that data are used for the purpose for which they were obtained. Have it in mind that individual subjects have the right to withdraw their consent and make a request that their personal data be deleted from your database. You must be able to demonstrate legitimate reasons for retaining any personal data.

  1. Check Your Data Recovery Procedures

You must have a buffer plan in place prior to GDPR compliance. Your buffer plan must be reliable enough to safeguard you in case of any data breach. You should double check to ascertain whether your disaster recovery plan is fail-proof. Business owners must also educate all their staff members on what to do or who to report to in case of any eventuality.

Conclusion

The best time to start preparing for the GDPR regime is now. The GDPR’s commencement date is already around the corner and if you failed to cover the 5 areas listed above, then you are already planning to fail. It means you are putting your company up as a potential victim for the regulators’ sanctions. So, it is imperative that you take proactive actions now. Any breach of the GDPR compliance could have serious financial and reputational consequences for your business.  The thought of compliance can be terrifying and feel like a mamouth and unachievable task.  Allteks are here to help you understand areas where you may be falling short, we work with best in show services and we can have you compliant before D Day.

Leave a Reply

%d bloggers like this: