It is under 100 days until the General Data Protection Regulation (GDPR) is implemented on 25 May 2018.
Leading up to the changes in the data protection principles, there has been an extraordinary amount of information published by experts on what the new regulations mean for organisations and how it should be approached, as well as warnings about potentially large fines that could be imposed should an organisation fail to be compliant.
In some ways it is understandable that in-house lawyers may not be constantly up to speed with data protection reform over the last six years – and therefore sifting through the vast quantity of available online guidance can be a lengthy task, and sometimes difficult to know where to begin.
However, with the introduction of the GDPR fast approaching, Thomson Reuters’ Practical Law In-House Blog has published some practical advice and tips focusing on the core principles of the GDPR.
Amongst the advice, the guidance from Practical Law highlights that it should be remembered that the GDPR ‘is an evolution from and an enhancement of the provisions of the Data Protection Directive, implemented into UK law by the Data Protection Act 1998.’
Additionally, summarising the essential information relating to the incoming GDPR, the advice outlines three core tips:
1. Get familiar with your organisation’s use of personal data and the data protection principles.
2. Put data subjects at the centre of your processes when seeking to implement the requirements of the GDPR.
3. Do not treat the GDPR as a box-ticking exercise. Paying lip service risks complaints from data subjects and enforcement action from the Information Commissioner’s Office. Could your organisation survive a big fine or operate without being able to process personal data on a temporary or permanent basis?
Understand why and how your organisation uses data
Taking it back to basics − it will be helpful to understand why and how the organisation uses data within its processes. If your organisation is yet to analyse its data, or bring in an audit service provider to support in this process, think about why and how your organisation uses personal data.
Building a picture of how you store personal data and for how long it is kept will also provide necessary insight to the data you hold – as well as listing all the decisions you make with personal data including any automated decision-making processes. It will be necessary that you are clear about where you obtain personal data from and with whom it is shared.
Test the organisation’s use of personal data against the incoming GDPR
Once your organisation has gained an understanding of how it uses the data from an audit, a test against the requirements of the GDPR will provide further insight to achieving compliance.
To read the remaining advice, including further information on testing the organisation’s use of personal data against the requirements of the GDPR, aligned with the other data protection principles – click here.
