The General data protection regulation is a compilation of 99 articles that deliver a complete explanation of the regulation. Each organization is different from each other, it is not possible to provide an exact remedy that will assure your organization in its compliance.
A document is released by the Information Commissioner’s Office recommending 12 steps which should be taken to comply with GDPR compliance.
- Documenting the data: Make sure you document all the personal data that is in hold with you, and with whom do you share this data with. You need to establish an information audit to do this. A detail list of all the data which you possess has to be made and from which source it has been taken. It will be easy to process your data if it is separated into categories. And all the data that is available has to be processed legally. Re-consent of all the clients/ customers has to be taken to stock their data with you. Contact with all your clients/customers for the diverse types of communication you will be sending them.
- Record of documents: Two different kinds of documents have to be maintain to record the consent of clients/customers. One document is to record who gave the consent and one document is to maintain who did not give the consent.
- Update the procedures: Check your procedures to ensure that you can accommodate the rights of individuals to be provided with their personal data in a commonly used format, and that you can delete their data on request. Update your procedures so you can handle those requests within the required timescales (usually one month)
- Consent of clients/customers: Make sure you store the data of clients/customers which is necessary to you that too with the consent of the clients/customers. If you have not obtained the consent of the clients/customers you will not stand a chance to store data.
- Data storage time duration: There is no specific time as to how long the data can be stored. It is said that it has to be stored for the shortest period that is possible. If the work has been done with the customer data, then it should be deleted immediately. If it is not deleted the customer should be informed that you have their data with you.
- Deletion of account: If an account is deleted, try to reach out to the person for consent if you can store their data or not. If they give their consent you can store their data or else, you need to delete their data.
- Data Breach: Make sure you have procedures in place to detect, report, and investigate a personal data breach.
- Data Protection Officer (DPO): Designate someone to take responsibility for data protection compliance. Appoint a Data Protection Officer if you don’t have one and make sure to inform your Users about it.
- Data retention: A data retention schedule has to be created in accordance to data destruction policy in order to periodically destroy the data which reaches the retention deadline.
- Encryption of records: Make sure your company’s desktops are encrypted, check and maintain a record of physical security of data such as paper filings, USB disks etc.
- Rights of the clients/customers: Through GDPR clients/customers have the right to get informed, right to elimination, right to modification, right of access, right to data portability, right to restrict the data processing, right to object, rights related to automated decision making and profiling. So, make sure your company comply with all these rights of the clients/customers.