GDPR 2018: What to do now/Where do I start?!

An essential and great starting point is to conduct what’s called a data flow audit, and then performing a gap analysis which will essentially show you what needs to be done before 25 May 2018 to become GDPR compliant.

1st. Put together a data map.

Conduct a data flow audit of personally identifiable information to identify the sources of your personal data and map out the flow from your website to it's database and other systems.

Ask yourself:

1. What personal data are you holding in the business and what personal data do you collect?
2. Who owns the data collected? If personal data is received from a third party, do they have the lawful basis for data processing and do you too? Can you both provide auditable evidence?
3. Do you know why you’re processing it? What is your lawful basis come 25 May 2018?
4. Do you know who you share it with?
5. Do you know if you’ve got contracts in place to share it and how secure it is?
6. Put together a data map – go through all the personal data you hold and collect with a fine tooth comb and pick out all the little bits of information.

2nd. Perform a gap analysis.

Once you understand what data you’ve got, look at where you need to be with this data come 25th May 2018. Think about what your lawful basis is for processing personal data and make sure you are completely GDPR compliant.

GDPR creates a big governance change within organisations, processes will have to change along with attitude and cultural changes within. You need to have policies, procedures and mechanisms in place to show you’re doing everything possible when accountable for personal data.

What to do with old or archived personal data

All archived or old data will still fall under the GDPR regulation and all personal data has to be GDPR compliant before 25th May 2018. After doing a data map and finding the archived data, you’ll want to know if you can bring it back to life again.

First question to ask is – do you know where all your data is? There may well be some data you don’t realise you’ve got, hidden away, that you’ll find you shouldn't have under the new legislation. Data could be 4 days or 4 years old but the governing rule is, if you don’t know how you got the data, where it came from or how old it is by 25 May 2018 – get rid of it. You need to provide an auditable record and prove every piece of data you have is GDPR compliant, so it only takes one person to complain and say they didn’t give consent when needed for example, to create a legal case that you will lose if you don’t have supportive evidence that proves it is GDPR compliant.

Make a strict policy on data retention that abides to the new regulations – what’s your set period of time? Make judgement on how long to keep the data for and be strict on deleting securely. Make this apparent in your privacy policy.

For further guidance from the ICO, see their helpful documents: Preparing for the GDPR – 12 steps to take now and Data protection self assessment toolkit.

Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)