Complying with GDPR

Just a few weeks before the EU General Data Protection Regulations come into force, time is running out to make your organisation compliant.  Practising good privacy and data security is the obligation of every company that handles personal data, but the new regulations introduce formal requirements for documenting and communicating compliance.  You will need to take technical measures to protect personal data and inform subjects about how you use their data.  The mainstays of demonstrating GDPR compliance are the privacy notice and the privacy policy.
Privacy Notice
The privacy notice is a document for people whose data you will control and/or process.  This may include employees, customers, students, prospects and service users.  The notice informs and empowers these stakeholders by setting out what data will be used, how it is obtained, how it is used and their rights to this data.  The privacy notice should be actively communicated to the affected people – especially when you are relying on the consent of the data subjects to lawfully hold and process their data.
Privacy Policy
The privacy policy is a document for your organisation which sets out the processes that are used to make your organisation compliant.  It will provide clear methods for identifying, handling and destroying personal data.  By formalising these processes it will be easy for your staff to identify protected data and avoid infringing the data subjects rights.  It will include details of the technical measures that will prevent data breaches and the policy measures that protect the company.
Data subjects’ Rights
Everyone whose personal information is held (‘data subjects’ have explicit rights under GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object to data processing

Your obligations
As an organisation you must ‘implement appropriate technical and organisational measures’ to protect data and demonstrate compliance.  The level of security required is proportionate to the sensitivity of the data , ie. how much the unauthorised destruction, disclosure or processing of that data would harm an individual’s interests.  You should carry out a data protection impact assessment so that you understand and mitigate the risks involved in processing personal data.

GDPR does NOT require that you encrypt all personal data; the corollary of this is that encryption alone may not be sufficient to comply with the regulations.  Consult your data protection officer or IT service provider for advice on when encryption should be used and what further measures are needed.  Encrypting data in transit, such as email attachments, backup drives and USB keys is sensible and proportionate – but it’s useless if your operating system and anti-virus aren’t up-to-date, for example.
How Blue Compute can help
Here at Blue Compute we’ve a wealth of experience in data management and technical regulatory compliance.  Specific services we can provide to ease the GDPR process include:

  • Conduct a data audit of your business to identify all sources of personal data
  • Produce a bespoke privacy notice and data policy specific to your organisation
  • Implement data encryption where required (and advise on where this is required)
  • Provide complete network management to ensure system integrity and identify / prevent data breaches
  • All aspects of consultancy and advice aimed at making GDPR compliance an easy and straightforward process for your business

 

No Comments Yet.

Leave a Comment

*