With just over half a year to go until the GDPR deadline (25 May 2018), you are bound to be asking questions about what the update includes and how your organisation can get ready for it. To help out, we have outlined 7 principles of GDPR – meet these and you are on your way to being compliant.
The GDPR update is for personal data, so this doesn’t include organisational data or data that has been put out into the public domain.
The 7 principles of GDPR
Know what you need and why
The main thing I am picking up about GDPR is the ability to justify every field of data that you are collecting. Why do you need to know ethnicity, is it relevant for the function of your organisation, or is it analysis? I’m afraid analysis or ‘just in case’ is no longer good enough. Know exactly what information you need to collect and document why you need it.
Gone are the days that privacy notes are small print buried in a sea of terms and conditions. Now you need to be clear about what data you are collecting, why you need it and what you will do with it. This has to be prominent on the page that you are collecting the data on – not buried in footnotes.
Keep the data secure
It sounds obvious but you would be surprised! Make sure all personal data is encrypted and kept on a secure server. The system needs to be trusted and compliant with DPA. It’s your responsibility to thoroughly check where your data is stored, so complete an audit before the 25 May 2018 to ensure that your data is safe and secure.
Don’t keep data longer than you need to
As part of the privacy notice you need to let people know how long you will keep their data for, and stick to that. Make sure you cleanse your data regularly and get rid of old information – or get consent and update it.
Dispose of data securely
When you are archiving old data, know that you are deleting it securely.
Don’t send data internationally
All of Europe needs to conform to the new GDPR update, but other countries may not match up to the standards and requirements of the law – so you need to ensure that if you are sending your data to any third parties, that they are also compliant to the regulations.
Ensure data you have is kept up to date
Another principle showing how important data cleansing is. You are responsible for making sure your data is up to date and correct – so book in time regularly to do a data check, if emails bounce then delete them. If you send data to third parties you are also responsible for sending them updated data, making sure they are up to date too.
SO basically, make sure you document:
- What we have
- Why we have it
- Where did it come from?
- Who are we sharing it with?
The main message from me is – don’t panic. There is lots of noise out there at the moment, but for more information about GDPR visit the ICO website for guidance and advice.