- Lawfulness, fairness and transparency: Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)]. Fair: What is processed must match up with how it has been described. Transparency: Explain to the subject what data processing will be done.
- Purpose limitations: Define what it is being used for and not be used for other purposes.
- Data minimisation: Only store what is required.
- Accuracy: The data is accurate.
- Storage limitations: No longer than necessary.
- Integrity and confidentiality: It is held securely and, if stored online or in the cloud, it is encrypted by default.
The Information Commissioner’s Office (ICO) is the UK body charged with enforcing the regulation and has been involved with prosecuting organisations that flout the existing regulations (that predate the May 2018 start date of GDPR). This 12 point checklist in GDPR preparation is a good place to start.
Whilst much has been written about this regulation, it is important to state that one cannot be GDPR “certified”. Or not yet at least! You can prepare your business by following the steps in the checklist above and if needed, get help from a third party in areas where your organisation lacks expertise.
Whilst a large part of being compliant is an exercise in administration, there are very specific requirements that pertain to IT. (See principle 6 above). A responsible business, that takes data and internet security seriously will most likely have many of these areas covered.
But because of the requirements of the regulation, and the possibility of being fined by the ICO, it is important to understand what is involved and what your business needs to do. There is a straightforward certification your business can attain to demonstrates that your business is taking its IT responsibilities seriously. It is called Cyber Essentials. Click the button below to view the Cyber Essentials programme.
Attaining this certification does NOT mean you are “covered” as far as GDPR is concerned, but it shows your business is taking IT security seriously and will make your path to GPDR readiness far easier.
ITGUY can help your organisation demonstrate its “GDPR readiness” from an IT perspective and provide guidance with all the parts of the GDPR process. Call us to discuss your concerns.
ITGUY takes GDPR very seriously. We attained Cyber Essentials Plus certification in April 2017. Additionally, we took on a consultant to check areas where we needed to beef up our overall compliance and legal assistance to ensure that we were adhering to the regulation correctly. Please see our GDPR compliance statement here.