What the ICO says –
“You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.”
What does this mean for your organisation –
This is squarely in the realm of the D of the DMPR acronym. (Discover. Manage. Protect. Report.)
Discover – What data the organisation has, where it is, why the organisation has it, how its processed and why the organisation still needs it.
Protect – Implement appropriate technical and organisational measures that ensure and demonstrate that the organisation complies with GDPR.
Report – An organisation needs to ensure it keeps auditable records of all actions taken when managing PII.
This could be a significant amount of work for your organisation dependant on what type of data it processes and how much it holds.
Identify what personal data the organisation holds and where it resides. e.g. Servers, filing cabinets, Warehouse, USB Sticks, Laptops. What systems and departments hold data and where. E.g. ERP, HR, accounts.
You need to find the data and decide what is Personally Identifiable Information and then confirm that the organisation is processing the data in line with the GDPR principles and lawful processing. If not, you could be breaching the rights and freedoms of the Data Subject. More on lawful processing on Day 6.
A risk based approach in this task is very much the recommended option.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.