You can’t have failed to notice the new General Data Protection Regulations (GDPR) came in to effect in May 2018.
GDPR replaced the old Data Protection Act 1998. While you may have taken plenty of time at the beginning of the year to prepare your business for the new law, it doesn’t end there. GDPR, just like the DPA before it, will be a vital aspect of all future planning and training.
So how do you make sure your businesses continues to be GDPR compliant?
Here are 6 rules to make sure to follow:
1. Record and report breaches
It is an obligation to maintain a ‘breach register’ where all breaches, whether large or small, are recorded. For any data breaches serious enough to result in, or be likely to result in, a risk to an individual’s rights and freedoms, the breach must be reported to the ICO within 72 hours. If the risk of damage is high, the individual concerned must also be notified of the breach.
2. Conduct a DPIA
A DPIA (Data Protection Impact Assessment) must be carried out with the introduction of any data system that uses personal information in a way it has not been used before, or when new data is being collected for a new purpose. The DPIA is designed to help recognise, and minimise, the risk of harm from the use of personal information. The assessment consists of a set of questions that ensure you are considering the full implications of any data system before it is introduced. You can download a guidance checklist and a template here.
3. Identify and support a DPO
A Data Protection Officer (DPO) is a new role brought along with the introduction of GDPR. The DPO is responsible for monitoring compliance with data protection laws, maintaining the breach register and contacting ICO if needed, as well as monitoring the DPIA. The Data Protection Officer must be able to report to the highest level of management within your business, and they protected from being disciplined, ignored, or dismissed from any issues arising from their duties. To be GDPR compliant, it’s important to make sure data protection is on the agenda for all your high-level organisational meetings.
4. Check your suppliers
You must have a formal contract with your data processor- it’s illegal not to. If you start working with any new data processors, or IT recycling suppliers, they must have minimum accreditation and competencies…. It’s a criminal offence to work with one that does not.
5. Know their rights
In a school setting, student records must be kept under statutory provision in The Education Regulations 2005. In a primary school, for example, this means that student records must be kept while the student is at the school, and should follow them when they leave. Outside of a school setting, any individual has the right to demand that all data held about them is deleted. If you need further advice about the rights of data subjects, you can speak to your local authority.
6. Train, train, train
All new employees should receive GDPR training during their induction, and there are numerous online courses available to make this easy to achieve.
GDPR requires constant monitoring and reflection- make sure your establishment is compliant!