By now, you will have heard of the General Data Protection Regulation ("GDPR"). If you have been brushing it to one side, you should now bring it to centre stage. We have compiled a top 5 hitlist to help you with your preparations. As the UK Information Commissioner has said herself "the 25th of May is not the end, it's the beginning.
You need to review your own policies, practices and processes to ensure they are compliant with GDPR requirements. You should document your review and identify your legal grounds for processing personal data in this way: what personal data do you collect and store; how do you use personal data; how long do you keep personal data for; and who do you share personal data with?
Any contract where you share high risk personal data, or where you share large volumes of personal data, should be prioritised for a review. There are mandatory provisions you must put in place in certain circumstances under GDPR. Some personal data will be more high risk than others - for example, medical data, biometric and genetic data, political opinions, racial origin etc. Business emails of business contacts, will be lower risk.
Make sure your privacy notice is a clear reflection of how you use personal data in the business. There is specific information you must include in your privacy notice. You need to review your marketing databases and ensure you have the correct legal basis in place to continue sending marketing communication to these contacts. In some instances, this may mean consent. You might need to refresh your consents. You must ensure this process is correctly executed. The ICO has previously imposed fines on companies who have incorrectly contacted individuals. You should check: is consent needed; do you have a records of the necessary consents; and have you removed people from your marketing database if they have asked you not to contact them?
Review the security practices and policies you operate in the workplace. Do you give blanket access to staff members to all personal data the business holds? You should only be giving access to personal data on a need to know basis. You should also ensure that your systems are tested on a periodic basis to reveal any weaknesses which can then be remedied. This process should be documented. Review and delete personal data you no longer need – after all, you can't hack it, if you don’t have it.
Your staff will need to receive training so they understand their own responsibilities and your policies and procesures. For example, they will need to be able to recognise and handle data subject requests including access requests and requests to restrict processing activities