The deadline for GDPR compliance is now fast approaching (Friday 25th May 2018). The impact on business will vary depending on the activities, nature and sensitivity of the data held. The GDPR relates to all data held (supplier, customer and employee) which can identify a ‘Natural Person’. The roles and responsibilities of a business in GDPR are determined by the business function as a data controller and/or as a data processor.
For guidance on whether your organisation needs to appoint a Data Protection Officer, and how to ensure that your DPO is adequately resourced for the role, see the Data Protection Commissioner’s Guidance on appropriate Qualifications for Data Protection Officers (GDPR).
GDPR replaces the Data Protection Directive, and is intended to strengthen data protection for all individuals within the EU by:
- Reinforcement of Individuals’ Rights
- Strengthening Obligations for Companies
- Enforcement by Data Protection Authorities
The key requirements for Business to Business customers are that they demonstrate that they have developed a plan to reach compliance and they have taken steps towards achieving that.
The key steps for business to business customers are:
- Awareness and training within the business to ensure that everyone from top down is aware of the requirements, implications and protocols.
- Implementation of GDPR Compliance through record maintenance of all processing activities
- Maintain GDPR Compliance to ensure that all records are current, old and new records dealt with appropriately
- Demonstration of GDPR Compliance requires that there is a clear reporting structure in place on all aspects of the business data collection, retention, processing and disposal activities.
- Reporting of a Data breach requires procedures are put in place to effectively detect, report and investigate a personal data breach
In establishing their GDPR compliance model, at a minimum, each organisation should include documentation under the following:
- Personal Data Policy Framework
- Inventory of Processing Activities
- Managing Data Subject Rights
- Data Subject Access Request Form
The Data Protection Commissioner has launched a GDPR-specific website www.GDPRandYou.ie