GDPR Preparation – Protection, Legal Basis and Consent – Stage 2
In Stage 1 of GDPR Preparation we covered, Awareness, Assessing Data and Creating a Data Register.
By this stage, you will have a solid understanding of what kind of data your company handles, how
much you store and how it is stored. You have also started to formalise this information in your
Data Register. Here’s what comes next:
1. Put protection in place.
Once you have begun to get a clearer picture of the what data you hold and where it is, it’s
time to put security in place to protect it. Start with a data protection policy. These are some
of the things you should be doing:
- Keep anti-virus software up to date
- Make sure you have a strong firewall and secure wifi
- Make sure passwords are strong and change them regularly
- Ensure employees take care when downloading software
- Be extra careful that laptops and mobiles are secure
- Use shredders and lock away hard copies of sensitive information
- Have a Disaster Recovery Plan
2. Lawful Basis to Process
To be compliant, you are required to ascertain your lawful basis for processing personal
data. Identify the lawful basis for your processing activity under GDPR, document it to prove
compliance and update your privacy notice to explain it.
3. Get consent in order.
There’s quite a lot to unpack here. First, review how you seek, record and manage consent
and whether you need to make any changes.
- Consent should ensure a positive opt-in (no pre-ticked boxes), be separate from your T&C’s
and should be in clear and easy to understand language.
- As outlined above, it should be clear why you are processing data, whether it will be shared
and how the client can request data erasure.
- Refresh existing consents now, if they don’t meet the GDPR standard.
- If it is relevant to your business model, should start thinking now about whether you need to
put systems in place to for processing information about children; verify individuals’ ages
and obtain parental or guardian consent for any data processing activity.
You are now most of the way towards being GDPR compliant, watch out for our next and final blog on the series.