The ICO is the regulating body for the General Data Protection Regulations. The right course of action for you will be to finalize a plan for your compliance and take small steps towards your goal. Document all the process and procedures, down to the tiniest details as a proof of your good-faith intentions to achieve GDPR compliance. As long as you are actively working towards being complaint, the ICO will be able to see that you’re trying.
The first order of things will be to audit all the information and devise a list of the personal data you currently hold.
1. Map all the sources of personal data in all your operations and document what you do with the data. Sort it by type, i.e. Names, addresses, phone numbers, and so on. You will need to know the data sources. Attribute a source (websites, native mobile applications, other digital touch point) for each separate piece of information documented.
2. Figure out whether the data is stored on site or in the cloud. This could be a list of internal databases, but could also include offline stores and third-party storage providers.
3. Establish which departments or teams collect personal data.
4. Identify which third party vendors you are sharing this information with so that if you need to delete or amend the data, you can inform them that they must also update their records. Understand how the vendors use the data you share with them and if they are complying with GDPR. Cross-check your contracts and service level agreements with them.
5. Each Partner that has access to the data must have a valid reason to obtain and use it.
6. Decide what information you will continue to hold and that which you can destroy.
In the process of cleanup, be mindful and ask yourself:
Why are we saving all this data?
Can we avoid collecting certain categories of personal information?
Can we delete this data instead of archiving it?
7. You should appoint a data protection officer or data controller who is in charge of GDPR compliance to manage data requests, report security breaches and ensure that relevant policies are updated from time to time.
8. Prioritize updating your terms and conditions, privacy policy and cookie policy. They should clearly state your alignment with the spirit of the law for protecting data privacy. Don’t claim to be compliant if you’re not. Just state your commitment to protecting consumer data and reassure your users that you’re actively working to meet GDPR requirements.
9. You need to have adequate measures in place to detect, report, and investigate in the event of a personal data breach. Have a communication plan to report a breach to your users.
10. GDPR requires you to establish a legal basis for collecting data, which you will need to outline in your privacy policy. You need to have a proof for requesting and obtaining consent. The proof must be logged into your system with a time stamp.
Writer is a powerful online word processor, designed for collaborative work.