← Back to the front page

GDPR: your 10-step plan for compliance before 25 May 2018

Sophie Spread on the data protection inhouse internet law

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Are you ready? Are you worried? With fines for non-compliance of up to 4% of group turnover or €20 million, perhaps you should be.

Follow these ten steps to make sure you’re ready for it.

  1. Get board and management buy-in. GDPR non-compliance is a significant business risk, especially if you handle customer and client data, but even if you don’t, your employee data will need to be secure. The board should be involved.
  2. Agree a budget. Compliance will at the very least take time, and if you need outside help, you’ll need a budget to pay for it.
  3. Organise the GDPR team. IT will be key, as they are likely to have responsibility for ensuring the technical security of data. HR will be involved in managing employee data as well as with training and education on GDPR. The marketing team will need to look at how they use data for direct marketing and other purposes. Procurement team will need to make sure their suppliers are compliant with GDPR too. Finance will be storing personal data for payment. The legal team will advise on compliance and may take the lead on the project. And you may need to use external advisers: for example, external legal advice on a detailed plan of compliance, and IT specialists to conduct a data audit and implement appropriate security measures if necessary.
  4. Carry out a data audit. What do you hold? Where? For how long? What do you use it for? What do your third party suppliers have (you are responsible for what they do with your data, so you need to be sure they’re compliant too)? What about transfers of data outside the EU?
  5. Purge your data. There’s no point keeping data that has no value to you, given the risks of something happening to it. Have a regular ‘cleanse’ of data you hold that has no purpose.
  6. Make sure the data you have is protected. After the audit and purge, ensure that your IT security is adequate.
  7. Review policies and procedures. What is your legal justification for holding personal data? Do you need specific consent? What about reporting data breaches? How will it be managed when there is an obligation to report within 72 hours including not just loss of data outside the organisation, but if inappropriate employees of the company access data that they shouldn’t?
  8. Work out how you will deal with people using their ‘rights’ over data. If you hold data on someone, they have the right to view it, request its deletion (the “right to be forgotten”) or amendment, and to have it transferred to someone else, all within 30 days. Can you do that? If not, work out what you need to do to be able to do so.
  9. Start educating and training your employees. Make sure everyone knows who the main point of contact is for managing data protection requests and what they need to do.
  10. Prove compliance. If you’ve complied with steps 1-9 above, you should be compliant. But that is no use unless you can prove it. Make sure you have documentation setting out exactly how you are compliant, with logs for actions taken on an ongoing basis (this is not a one-off project, complying with the obligations will require constant updating).

Sophie Spread is the Founder of SAS Law. SAS Law is helping clients to become GDPR compliant, including working with IT providers who can take care of the IT audit and security aspects as a ‘one-stop-shop’. Please get in touch if you would like to discuss how Sophie can help you. Find out more about data protection here.