Suite 27, Liberty House, The Enterprise Centre, Greenham Business Park

Comply with GDPR

We can help you to comply with the General Data Protection Regulation

The new General Data Protection Regulation (GDPR) became law on 25 May 2018 and all businesses who hold data relating to EU citizens need to ensure that they comply. Failure to do so could result in fines of up to 4% of annual global company turnover or €20 million, whichever is greater.

The GDPR seeks to give people more control over how organisations use their data and expands the rights of individuals to control how their personal information is collected and processed and places a range of new obligations on organisations to be more accountable for data protection.

Understanding what you need to do to become compliant can seem daunting. While many of the GDPR’s requirements are much the same as those in the current Data Protection Act (DPA), there are some significant additional responsibilities. The good news is that if you’re complying with the DPA, you have a sound basis on which to build on toward GDPR compliance.

While the following requirements may seem burdensome and complex, our Consultancy Services team can help you. From the initial in-depth assessment into the data you hold, how and where it’s used within your own business and how it may be shared with third parties, penetration testing to identify vulnerabilities in your infrastructure, to developing and implementing a full GDPR Compliance Action Plan, we can support you.

GDPR compliance

To be compliant, you will need to:

  • Perform an information audit to map data flows.
  • Document what personal data you hold, where it came from, who you share it with and what you do with it.
  • Identify your lawful bases for processing data and document them.
  • Have systems and processes in place to record and manage ongoing consent.
  • If you rely on consent to offer online services directly to children, ensure that you have systems and processes in place to manage it.
  • Confirm whether you need to be registered with the Information Commissioner’s Office.
  • Ensure that if you offer online services directly to children, you communicate privacy information in a way that a child will understand.
  • Be able to recognise and respond to individuals’ requests to access their personal data.
  • Have processes to ensure that the personal data you hold remains accurate and up to date.
  • Have a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it.
  • Have procedures to respond to an individual’s request to restrict the processing of their personal data.
  • Have processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
  • Have procedures to handle an individual’s objection to the processing of their personal data.
  • Have identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements.
  • Have an appropriate data protection policy.
  • Monitor your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
  • Provide data protection awareness training for all staff.
  • Review how you ask for and record consent.
  • Have a written contract with any data processors you use.
  • Manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
  • Have provided appropriate privacy notices to individuals.
  • Have implemented appropriate technical and organisational measures to integrate data protection into your processing activities.
  • Understand when you must conduct a Data Protection Impact Assessment (DPIA) and have processes in place to action this.
  • Have a DPIA framework which links to your existing risk management and project management processes.
  • Have a nominated data protection lead or Data Protection Officer (DPO).
  • Ensure that decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
  • Have an information security policy supported by appropriate security measures.
  • Ensure an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.
  • Have effective processes to identify, report, manage and resolve any personal data breaches.

Contact us today for more information on our range of consultancy and project management services