Stage 1 – Awareness, Data Identification and Creating a Register
Make sure that the relevant people in your business are aware of GDPR and the repercussions of not complying correctly. This would probably be any stakeholders, decision makers and department heads. Assign one person or a committee to take ownership of GDPR compliance. Businesses over 250 in size will be obliged to employ a DPO (Data Protection Officer).
2 Identify Data
Assess what personal information you hold, where it came from and how you hold it. A proper review must be made here, many businesses hold information in ways that they hadn’t realised. If your company is larger, all department heads should be involved in this. Ascertain how much information is being held, are employees storing information they shouldn’t be? Privacy data could include:
- Basic identity information including name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Racial or Ethnic data
- Political opinions
- Sexual orientation
3 Create a Data Register
Your business will need to demonstrate its progress towards becoming compliant should there be any queries. The Data Protection Agency (DPA) will be responsible for checking compliance and can impose hefty fines. The Data Register may be an important tool in proving the business’s journey towards compliance and should contain all the information outlined in Article 30. It might look something like this.
Once you have started steps in all these areas you will be making firm progress towards compliance.
Catch up with our next blog for the steps that follow as we head into Stage 2 of GDPR compliance.