With GDPR day fast approaching, organisations across Europe should be working towards full GDPR compliance. However, recent polls during VinciWorks’ webinar, GDPR – 10 steps to take before May, show that businesses still lack clarity and direction on how to prepare for the new data protection laws under GDPR.
Below are some of the key findings of the polls and guidance on how we can make sure we are ready for GDPR, or at least on the way to full compliance, come GDPR day.
Click here to download a free recording of the webinar
Preparing for new rights under GDPR
While less than 5% of organisations had fully prepared for the new right of individuals under GDPR, a worrying 35% feel that they are not at all prepared for the new rights.
What are the new rights under GDPR?
Right to erasure
This is one of the most talked-about innovations of GDPR. It means that someone can request the deletion or removal of their personal data, including information published or processed online.
Data Portability
While people already had the right to access their data through a subject access request, now it will have to be provided in a way that makes it easy for a computer to read (e.g. via a spreadsheet). A person can also request for their data to be transferred directly to another system for free. This could mean transferring all of your photos from one social network to another, or content from one cloud provider to another.
What should we do with our marketing lists?
In June 2017, Pub chain J.D. Weatherspoon announced that it would be deleting its entire marketing list, saying “Many companies use emails to promote themselves, but we don’t want to take this approach”. They felt that holding such a large amount of data was too high a risk. While only a small amount of respondents plan to follow in J.D. Weatherspoon’s footsteps, 49% were not yet sure what to do with their lists. “The first thing you should be doing is mapping your data. This means finding out what you have, where it is, who is in control of it and how it is used”, says Nick Henderson, Director of Course Development at VinciWorks.
18% of organisations do not know what a Data Protection Impact Assessment (DPIA) is
Carrying out a DPIA can be a timely process, so it is worrying that so many organisations had never heard of the term prior to the webinar, with a further 45% having not started their DPIA.
What is a DPIA?
A DPIA is essentially a risk assessment an organisation might take when they are about to take on any big new projects that might impact data protection. It’s also a good idea to conduct them on current data processing activities. It contains a detailed description of the processing operations, an assessment of risks, and what controls have been or need to be put in place to protect people’s information. Ideally, the DPIA should be integrated into the project plan. In some very risky situations, you may need to consult with the ICO and share the DPIA with them.
Processing subject access requests
With over 60% of organisations having never processed a subject access request, businesses may lack clarity and understanding on how to process a request.
What is a subject access request?
A subject access request is a request by a data subject to obtain all the data your organisation holds on them. Under the new right under GDPR called data portability, an individual can now request for free that all their data be transferred to another system, a service that under the UK Data Protection Act 1998 costs £10.
GDPR compliance assessment
How ready are you for GDPR? Have you conducted any GDPR focused data audits? Have you updated privacy notices for GDPR? Take our short assessment to assess your level of compliance under GDPR, with a score and helpful feedback given upon completion.
Preparing for GDPR day – 10 things to do now
VinciWorks has created a short guide to help organisations see what they still need to do to prepare for GDPR. The guide is also part of our GDPR resources page.
