March 2018

Prepare for change: review and adapt your data, time is running out

Take a walk through any business in the country - carton-related or not - and there are panicked whispers reverberating down the corridors about the dreaded ‘GDPR'. We're striving to help prepare our members for the new General Data Protection Regulation (GDPR) and the truth of the matter is: time is running out. If you're still nonplussed or just need a little confidence boost that you're doing the right thing, read on, and if in doubt just give us a call.

GDPR will be enforced in only a few short months (25 May 2018), replacing the current Data Protection Act. How you handle data will change forever, and if you process personal data of any data subjects who live in the EU you need to ensure you comply with the new regulation. Notably, there are some direct obligations on data controllers and processors that you will need to understand and build into your policies, procedures and contracts.

The basics:
- GDPR is all about giving individuals more control over their personal data.
- GDPR applies to any personal data you store on your customers, and in ‘GDPR speak' personal data is considered to be any data that can identify an individual. We're talking name, ID, computer IP address, the list goes on.
- If you are collecting data then you need to keep those individuals informed of what data of theirs you are storing, how you are storing it and what you will do with it.
- Your communication must be transparent - this means no ‘pre-ticked' opt in boxes or confusing terms. Just straightforward language to ensure individuals understand what they are consenting to.

While only businesses employing over 250 employees need to maintain internal records of all data processing activities, this legislation affects businesses of all sizes - SMEs are not immune and still have to record activities relating to high risk processing. So we urge you to be prepared and get compliant. If you haven't already got to grips with the changes and set out an action plan, the clock is most definitely ticking. By beginning to build up a paper shield of evidence to demonstrate that you as a business are taking GDPR seriously you are taking your first steps towards compliance and avoidance of the potential €20million or 4% of annual global turnover fine.

This checklist provides an overview of what you must implement:
- Establish a framework for accountability - all companies will need to put in place clear policies and practiced procedures to ensure that you can quickly react to any data breach and to notify the regulator in time where required.

- Implement governance - appropriate technical and organisational measures are needed to show you comply. These could be internal data protection policies, staff training, internal audits of processing activities, reviews of internal HR policies and where appropriate you may want to appoint a data protection officer.

- Implement privacy by design - ensure that privacy is embedded into any new processing or product that is deployed.

- Consider the legal basis for use of personal data - consider what data processing you undertake. Do you rely on data subject consent or can you show that you have a legitimate interest in processing data that is not overridden by the interests of the data subject?

- Check privacy notices and policies - the GDPR requires that information provided should be in clear and plain language, so your policies should be transparent and easily accessible.

- Consider the rights of data subjects - data subjects can exercise their rights under the GDPR, including the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention.

- Consider international data transfers - for any international data transfers, including intra-group transfers, it will be important to make sure you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.

- Adhere to the Principle of Data Protection - This includes data minimisation, pseudonymisation, transparency, allowing individuals to monitor processing and creating and improving security features on an ongoing basis.

BPIF Specialist Services is working with a wide range of companies in the industry to help them become compliant. The following resources are available:

- GDPR Gap Analysis
- Open House GDPR Workshops
- Bespoke GDPR Workshops
- Bespoke GDPR Support
- Cyber Essentials Scheme - IASME Gold Certification

If you haven't already done so, now is the time to prepare for change; review and adapt your data to meet the new requirements.

For more information and to prepare yourself for the GDPR, contact BPIF Specialist Services on 01924 203335 or email [email protected]