29 May 2017 Business

The 12 steps to GDPR compliance

1 Ensure that decision makers are aware that the law is going to change and that they appreciate the likely impact of this.

2 Understand what personal data you hold, where it originated and who it is shared with. An information audit may be needed.

3 Put in place policies that control who you share personal information with and that such changes comply with the GDPR.

4 Ensure that you have policies to cover all the rights that individuals have and personal data can be deleted.

5 At the same time, establish procedures that enable you to answer requests for information according to the new timescales.

6 Understand why you are processing data, document what you are doing and why. Data processors will have more responsibility under the new rules.

7 Consent is the key notion. You must ensure that you have consent to hold data and to use it. As a processor you need to be sure that the data controller has this obtained correct consent to use personal data.

8 If dealing with personal data around children, parental or guardian consent will be needed – not so likely for print businesses.

9 You need to have clear procedures of what to do in the event of a data breach. Individuals and the authorities may need to be notified in appropriate timescales.

10 Understand the work that the Information Commissioners Office has produced on Personal Impact Assessments and how these should be implemented inside the organisation.

11 A Data Protection Officer will be needed as the custodian of all GDPR related activity, ensuring compliance and with the authority to take decisions around personal data.

12 Understand when working internationally where the ultimate data supervisory authority resides. It may not be in the UK if the customer is based outside this country.

The precise definitions of all roles and statements have still to be worked out or published. These will be issued via the ICO website. There are consultants to advise and help can come through trade organisations like the BPIF.

Contracts may need reviewing to cover the handling of personal information and responsibility for that information.

Gareth Ward

« »
General Data Protection Regulation Compliance

General Data Protection Regulation Compliance

Just because someone hands over his business card at an exhibition does not mean that data can be used to send him emails. His express permission is required.

Explore more...

How the GDPR affects print

Pause follows GDPR build up

Posting a comment

Please feel free to leave a comment on this post, we require all posts to be screened before they are set live. We will send you a notification when your comment is approved.

Turing Test

No comments to display, be the first! Leave a comment in the box above.