Steps you need to take
What do you need to do to implement GDPR in your business
Identify what personal data you hold (this can be achieved by setting out the information listed in Article 14 of the DPJL or for smaller companies a tailored process such as the accompanying template that identifies details of personal data held).
Conduct a risk assessment of the personal data you hold and your data processing activities (Article 14(5) DPJL).
Implement appropriate technical and organisational measures to ensure data (digital and paper files) is stored securely. The security measures your business should put in place will depend on the type of personal data you hold and the risk to your customers and employees should your security measures be compromised.
Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of personal data (Schedule 2 DPJL).
Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business, that the data is accurate and kept no longer than is needed for the purpose for which it was collected (Article 8 DPJL).
Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to, and how long you need to keep their data on file (e.g. notices on your website or signs at points of sale) (Article 12 DPJL).
Establish whether or not the personal data you process falls under the category of special categories (sensitive) of personal data and, if it does, know what additional precautions you need to take (Schedule 2 (Part2 ) DPJL).
Decide whether you will need to retain the services of a Data Protection Officer (DPO) (Article 24 DPJL). The DPJL allows you to outsource this function, however you should be sure to check your DPO has the skills and time to fulfil their statutory obligations under the DPJL. GDPR Infographic – Do I or Dont I need a DPO
Have appropriate procedures in place to facilitate requests from individuals wishing to exercise their rights under the DPJL, including rights of access, rectification, erasure, withdrawal of consent, data portability and the right to object to automated processing (Articles 27 to 38 DPJL).
Where appropriate, have up-to-date policy/procedure documents that detail how your organisation is meeting its data protection obligations.
Train your staff so that they know why it is important for data to be dealt with properly, how to do that and what they need to do/who they need to speak to if something goes wrong.
Have appropriate procedures in place to deal with any breach. You will ordinarily have 72 hours from date of notification of the breach to report the matter to the Authority so make sure you know what needs to be done, and by whom. You might also need to tell data subjects about what has happened.