In the U.K. the Information Commissioner’s Office (ICO) is responsible for enforcing penalties on the non-compliant companies in the U.K. And after the introduction of GDPR and the Data Protection Act 2018, we have seen the first fines.
In a publication by the ICO on the 27th of November 2018, we saw that Uber was fined 385,000 pounds for data protection failings.
Being GDPR compliant is a lot easier said than done in many cases. And since the introduction of these data protection regulations 6 months ago, it is said that only around 20% of companies in the U.K. are now compliant according to Itpro.co.uk (21.Nov. 2018).
7 STEPS TOWARD BEING GDPR COMPLIANT
A simple step by step guide not intended to be a comprehensive guide. with information from gdprandyou.io
1. BECOMING AWARE
Identify the personal data you are handling in your business operations. In order to stay GDPR compliant its important that you know what data you need to keep secure. Therefore identifying your potential risks is key.
Determine how, why, and where you are handling personal data from customers or other stakeholders. Also look at how long you will be keeping the data, and how secure it is.
Before you collect any personal data it is important that you let your customers know who you are, why you are collecting the data, how it will be used, who it would be disclosed to, and whether it will stay within the EU.
4. DATA BREACHES
With the data your organization is handling it is very important that you have good procedures in place in order to detect, report, and investigate a data breach.
5. CUSTOMER CONSENT REGULATION
If you record personal data via customer consent it is important that you examine how you obtain that consent. According to the GDPR, the consent given by the customer must be “freely given, specific, informed and unambiguous”. This kind of consent must in the case of underage subjects, be given by a guardian. Here it is important that you are able to verify different subjects ages.
6. PERSONAL PRIVACY RIGHTS
Under the regulations of the GDPR, the “data subjects” or the individuals have firmer rights, and more transparency in the way companies handle their data. Therefore it is important that your company is able to abide by these rights and comply with the rights of the individuals in any case.
A DPIA or a data protection impact assessment is under the GDPR mandatory for an organization that is involved in what is known as high-risk processing. Such as large-scale monitoring of public areas or if a new technology is being deployed. A DPIA considers the impact such projects may have. In such organizations, it is also in some cases required to have a Data Protection Officer