The new General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018, bringing with it a raft of new data protection and privacy obligations. However, many businesses are still unsure as to how they should update their privacy policies and data privacy for customers.
To help you get some clarity, Mike Heath, Head of Business Systems at Polyco Healthline, who is responsible for our compliance with the European General Data Protection Regulation, talks about the steps we have taken towards becoming GDPR compliant.
When it comes to compliancy, Mike believes this can be broken down into five key areas:
Understand what data you have
To understand what data we have, we carried out a data audit with our nominated data owners (see below). This means looking at all the places we hold Personally Identifiable Data (PII) and Sensitive Personally Identifiable Data (SPII), not forgetting things like paper files or files people may have stored locally on their PC desktops. We then validated all the information gathered in the audit to ensure that the data we store is actually required. Any data that we didnt need to conduct business or couldnt justify keeping under a Legal Basis for Processing was securely disposed of.
Manage your data
Managing data is a wide-ranging topic which is hard to cover in its entirety, but some of the key points we had to consider were:
- Updating all our policies, or creating new ones, relating to how we manage data. This included new Data Protection and Retention Policies and updated Website Terms and Conditions. Additionally, key new policies were our Data Breach Policy (the GDPR is very specific regarding how a breach is managed and dealt with) and our Subject Access Request policy " once again the GDPR is very specific about how you have to respond to a data subject who requests access to the data you hold on them.
- Ensuring the security of data is paramount. The simple questions you need to ask are: Do I need to keep this data? And if so, why? And who actually needs access to it?
Ensure data has an owner
The Head of Business Systems cant be responsible for everything! Data ownership means ensuring that a person in your organisation responsible for data in their care can give a legal justification for that data to be held and only used for its designated purpose. They are also responsible for ensuring that its only retained for as long as is necessary (covered by the Data Retention Policy) and is only available to staff who need to use it to do business.