With the latest figures showing only 5% of firms are ready for GDPR, Rachel Letby, Director of Crail Consulting, shares five top tips to help you make the 25 May deadline fully compliant
We’re all hearing a lot about the General Data Protection Regulation, otherwise known as GDPR, which comes into effect next month. Shockingly the latest figures* show that only 5% of firms are fully ready for 25th May deadline. This worrying lack of preparation could be down to a general consensus that there is a definite shortage of specific guidance from government and from professional bodies about how this should be applied. Unfortunately this is obviously not an excuse to do nothing!
Here are five top tips we have been sharing with our clients to ensure they are all fully up to speed and compliant by the time 25 May rolls around.
1. Refer to the Information Commissioner’s Office website
They provide guidelines about how GDPR should be applied. Although you may find that this results in further questions, it does provide a good starting point.
2. Map your data to your processes – what data do you use and when do you use it?
This will give you a view about the data that you are using that relates to your clients. Don’t forget your employees’ data, which needs to be considered too.
3. Look at your client base – are there groupings of clients?
For each grouping, walk through how they might interact with you from their perspective. What processes might be used? From this insight, identify what data is being used. As before, don’t forget your own employees!
4. Do your clients have clients of their own? This may have an impact on you.
For example: if you’re an accountancy practice and one of your clients is a children’s nursery. This is important as data about a child has to have parental/ guardian approval if they are under 13. This means that you need to think through the implications of using data that could be linked to data about children associated with the nursery.
This also applies to vulnerable adults. You should have consent from their carer, Power of Attorney or next of kin to hold that person’s data. If you already have that permission and don’t intend to change how the data is used then you don’t need to seek consent again; otherwise you do need to obtain consent.
5. How are you going to safeguard that data?
The days of sharing a password in the office have long gone! A clear policy setting out how you will protect personal and sensitive data forms the foundation for how you approach this. This will ensure a consistent approach, can be used for training and onboarding, working with third parties and for demonstrating due diligence.
At the very least, this all demonstrates that your organisation has been trying to comply with GDPR! And over the coming months, we’re sure that further guidance and precedents will come through to help bring greater specificity of what is included – and just as importantly – excluded. Good luck!
*Study conducted by business improvement company BSI.