With GDPR coming into force on the last Friday of May, fully understanding the extent of the reform is key to preparing adequately to be fully compliant with it. A lot of guidance is given on the Information Commissioner’s Office (ICO) website, and it should be the first stop for an organisation to understand the upcoming regulation and understand what it needs to do.
Time is ticking, but there is still time to become GDPR compliant. A sensible starting point is defining your priorities in accordance with the audiences you communicate with, both external and internal, and identifying all of the personal data you hold on those audiences.
The biggest question about GDPR is whether the personal data that your business collects is being gathered, stored and used for a legitimate purpose. As long as the answer is ‘yes’, minimal provisions should be required. Where the answer is ‘no’, ‘not really’, ‘wouldn’t necessary say “yes” to this one’, the GDPR will nudge you to spring clean your files, confirm permission with the individuals, and get on the right track.
Finally, while small and medium sized businesses are not legally obliged to employ a full time qualified Data Protection Officer, they are required to have someone within their teams with this extra responsibility.
Although daunting at first, once these initial hurdles are overcome, the rest should be relatively straightforward.