HOW DO I GET COMPLIANT?

About making your IT systems GDPR-ready

IS IT EASY TO COMPLY?

Compliance can be complicated. The new law treats everyone as an individual. That means keeping data about any person, for more or less any purpose, brings your organisation under the new rules. Post-GDPR, individuals, have all sorts of rights concerning their data:

  • To access their own personal data
  • To have inaccuracies corrected
  • To have information erased under the ‘right to be forgotten’
  • To prevent direct marketing, automated decision-making and profiling
  • To let people transfer their data from one controller to another

Your IT systems need to support all of this. And they also have to be able to show exactly how you comply with the principles of the GDPR, for example documenting every decision taken about a processing activity.

DOES GDPR COMPLIANCE DEPEND ON THE TYPE OF BUSINESS?

The GDPR applies to every company in the world that processes personal data of European Union citizens, including UK citizens post-Brexit. So all businesses that work with information about EU citizens will have to comply.

YOUR CRUCIAL FIRST STEPS TO COMPLIANT IT SYSTEMS

The first thing you should do is investigate your existing systems to check how compliant they are in their current state. You may be able to handle this internally, or you might need external expertise. The second step is to deal with the gaps you’ve identified, again something you can either handle yourself if you have the IT expertise or hand over to a professional IT support organisation.

HOW WE CAN HELP YOU ACHIEVE COMPLIANT IT

While we’re not GDPR experts, we are IT professionals. We can help you audit your systems and identify any issues, and we should be able to either fix those problems for you or recommend new or updated systems and software that will be compliant out of the box.

EXCELLENT GDPR RESOURCES

Here are some detailed plain language posts about the GDPR:

GDPR FAQ

The GDPR says data controllers have to carry out PIAs whenever the risks of a breach of privacy are high, and they need to do it before a project even kicks off, in the earliest stages.
The GDPR merges all manner of EU data breach notification laws, to make sure organisations ‘constantly monitor’ their systems for breaches of personal data, notifying the DPA within 72 hours of finding a breach.
Businesses have to make sure they have all the right technologies and processes ready to allow them to detect and act on a breach.
Probably. It may also mean making changes to your internal data security policies and also change how they’re promoted within your business. The idea is everyone involved in the data side of things needs to know what constitutes a breach and how to recognise one.
A privacy notice must be written in simple, clear language and express the legal basis for processing the data, how long the data will be kept for and an explanation about your right to complain to the ICO.
No. And you will only have a month to comply, compared to the old DPA’s 40 days. You will also need procedures in place to explain why if you want to deny a request or charge for it.