The GDPR is a European Union regulation established to strengthen data protection for individuals in the EU. It will be written into UK law after Brexit.
Labyrinth can help you build an Information Asset Register and ensure your systems are managed in line with your data policies. Here are some of the key considerations for the GDPR.
Where is your data held?
You must be able to identify where all personal information is stored.
Labyrinth will help you implement a register detailing where your data is stored.
Who is responsible for your data?
Who in your organisation is responsible?
Someone must be accountable; however, you should develop your own internal policies and train all of your staff on them. Consider whether you need to appoint a data protection officer.
Do you understand the new rights of data subjects?
One key example, is that data subjects have the right to have their data erased when you no longer have legal grounds for storing it.
Are you able to remove data from your systems?
Do you have consent?
You must ensure you have consent and/or legal grounds to store and process the different types of personal data that you handle.
You should clearly document your processes on this.
Privacy and Security
Data subjects have the right to privacy by design.
You must only process relevant personal data for a specific purpose.
You should also ensure data is secure, for example by implementing encryption.
You must report breaches to the relevant authority within 72 hours of identification.
You should define a policy for handling and reporting breaches. You could be fined up to 4% of global revenue for non-compliance.
You should publish your privacy policies.
You must detail the legal basis for data processing and ensure data subjects are aware of complaints procedures, including the relevant authority to complain to.
You are responsible for the data that you store and process. You must take reasonable steps to ensure third party services that you use to store/process personal data are secure and compliant.