The EU is preparing to release new data protection regulation reforms. Whilst the exact details have not yet been released (and it will be a number of years before the new laws are actually put into practise), it is never too early to begin preparing your business for the changes. Preparing your business now means that you can ensure that you are completely on top of your current responsibilities before tackling any new ones that the regulations might require. Of course, the impact that these data protection changes might have on your company will vary from business to business, but here are just a few ways in which you can prepare:
Privacy as Standard Practise
In order to ensure a move towards complete data protection compliance, it is important that all of your computer systems and data storage processes have data protection at their core. This means that every piece of sensitive data your company holds should be protected at all stages of its storage. You should also regularly review any data that is stored and effectively and securely dispose of it if it is no longer required, ensuring that you meet all ‘data minimisation’ requirements.
Develop a Breach Management Process
If your company already has a strategy for managing data breaches it is important that you are completely ready to implement this strategy in the case that this occurs. If this is not the case, it is important that you develop a breach management process as soon as possible. The plan should involve arrangements to notify any affected parties (as well as the ICO) straight away. Most importantly, you should ensure that your business has taken suitable security measures to prevent data breaches in the first place, and you should regularly review the effectiveness of these measures.
Clarify Consent and Control
It is important that your clients are aware of the types of data you are holding about them and how you are using such data. Do you have a clear way for your clients to consent to such data storage, and how do you log this? It is key that you are able to efficiently respond to any clients’ change with regards to their consent for you storing their data as quickly as possible.
In order to be data protection compliant you should be able to explain how your data protection processes function, and demonstrate how they work in practise. You should make the type of data you store easily available to those whose data you store,, and they should be able to easily access information about your data handling strategy.
While it may not be necessary to employ a designated Data Protection Officer, it is important that you have a small number of staff members that can help you and your employees understand and implement the requirements of the new regulations. If you do not already have staff members in this role, you should either train your existing staff or be aware of where you can source such expertise if it is required.
We cannot predict what the new regulations will require with regards to data protection, but if you and your staff are up to date with the current requirements, you will be in much better shape for the coming changes.