7 Self-Assessment Checklists to Help You Prepare for GDPR
If you’re still worried about GDPR compliance then you’re not alone. With so many areas to cover and keep updated, it’s no wonder that so many companies are feeling overwhelmed.
If you’re a small to medium sized organisation, it’s particularly important to ensure you’re protecting your company and your clients from a data breach. You are most at risk of an expensive error harming your company and reputation.
So, to help assist you in assessing your compliance, we’ve put together some tips to not only increase your confidence in GDPR compliance, but to ensure that any personal client information is kept accurate, relevant and safe.
Here are some of the most important areas that you may have missed:
1. Lawfulness, fairness and transparency
GDPR insists that you map data flows and that you document what personal data you hold, where it came from, who you share it with and what you do with it. Your business must also identify your lawful bases for processing and documenting data, as well as have systems in place to record and manage ongoing consent. Don’t forget to monitor your own compliance with data protection policies and regularly reviews the effectiveness of data handling. It’s also a good idea to nominate a data protection lead or Data Protection Officer (DPO) to keep on top of GDPR compliance.
2. Understand individuals’ rights
You must be able to provide privacy information to all individuals, as well as recognise and respond to individuals’ requests to access their personal data, having a well set-up and organised storage system can help with this. You must also securely dispose of personal data that is no longer required, particularly where an individual has asked you to erase it.
3. Information security
To stay within GDPR compliance, your business should have an approved and published information security policy which provides direction and support for information security. You should put in place written agreements with all third party service providers and processors too, to ensure that the personal data they access on your behalf is protected and secure. Staff should be trained in security regularly, with entry controls restricting access to your premises and equipment. Secure storage is a good idea to protect records and equipment, helping to prevent loss, damage, theft or compromise of personal data.
4. Direct marketing
Someone in your business should be responsible for compliance with data protection legislation and PECR when carrying out direct marketing activities or roles. You should approve and publish all direct marketing policies and procedures so that your staff can see, and provide data protection training to all staff. It’s a good idea for your business to have a retention policy in place for the personal data you hold for any direct marketing.
5. Records management
To manage records effectively, your business should incorporate records management within a formal training programme. This includes mandatory induction training with regular refresher material, and specialist training for those with specific records management functions. You should also carry out regular checks on records security and set minimum standards for the creation of paper or electronic records. It would benefit your business to actively maintain a centralised record of all record management systems and to protect them from loss or theft. A confidential waste disposal process should also be in place to ensure that records are destroyed to an appropriate standard.
6. Data sharing and subject areas
All staff must be informed of policies, procedures and guidance that tells them when it is appropriate for them to share or disclose data. An appropriate member of staff should be assigned responsibility for ensuring data is shared effectively. You should also maintain a log of all shared personal data, a documented process for dealing with requests for personal data could help to implement this most effectively.
When installing and operating a CCTV system, you should document the potential impact on individuals’ privacy and regularly review whether CCTV is still the best security solution for your company. If CCTV is the best option for your business, then you should pay the data protection fee to the Information Commissioner’s Office (ICO) and have a policy or procedure in place which covers the use of CCTV. You must then respond to any individuals or organisations making requests for copies of the images from CCTV footage and train staff in how to operate the system and cameras. It’s important to clearly inform individuals of your use of CCTV too.
For any assistance in ensuring your data is up to date and as secure as possible, please call Griffin House Consultancy today on 01673 885533 and we will be more than happy to help you comply with GDPR.