We’ve written lots in recent weeks about the imminent introduction of the European Union’s new data protection legislation, but what should you be doing to prepare for it if you haven’t already?
The General Data Protection Regulation, or GDPR, comes into force in May and will govern how businesses process and handle data.
Ahead of then, Nick Robison, partner at Guernsey law firm Babbé, has a ten-step guide to help businesses get ready for the new regime:
- Don’t panic – there is still time to prepare if you act now.
- Do a personal data audit and document it – know what data you have, where it is and how it is processed.
- Review and if necessary upgrade the security of your personal data including your back-up systems e.g., firewall and virus software protection, encryption and password protection.
- Review your data retention policy including how you delete data at the end of a retention period e.g., can you selectively delete from your current servers and back-up tapes?
- Ensure you have a subject access request policy e.g., have an allocated person who will deal with data requests from individuals and systems in place to search efficiently for and collate the specific data in time.
- Prepare for data breaches by having a robust data breach plan e.g., have an allocated person who will deal with clients, the regulator and the public if a data breach occurs.
- Check the data protection policies of all third parties who process your data to ensure they are compliant with the data protection law.
- Train your staff on data protection and how to avoid identity fraud, virus and malware attacks.
- Check whether you process sensitive, special category personal data and ensure you are processing it appropriately with the necessary safeguards.
- Be ready to demonstrate compliance with the data protection law by having records of all your data protection policies and procedures.
You can read a full data protection update from Babbé here.
