There’s no time for your colleagues to pass the buck or bury their heads in the sand. The GDPR comes into force on 25th May 2018 and applies to nearly every area of every organisation. It’s not just an IT issue: the GDPR impacts HR, legal, marketing, procurement, training and security.
It’s therefore key that your Board or management team takes ownership of GDPR compliance and considers all these areas of the business. GDPR is everyone’s business.
Human resources / personnel and GDPR compliance
Your HR team is responsible for making sure that employees are aware of their responsibilities in managing data as an asset. HR needs to include this information in their employment contract, starter information and induction programme.
They may need to ask new joiners for consent for DBS checks and DVLA checks. Similarly, HR may need authorisation to process data for payroll, in which case HR needs to make it clear that personal data will not be misused.
For example, if you pass on personal data for your pension or healthcare schemes, your organisation is responsible for protecting your employees’ personal and sensitive data by making sure third-party systems are also GDPR compliant, with revised supplier contracts.
Legal – new contracts for GDPR
If you have a legal team, they will be responsible for those supplier contracts. Otherwise, responsibility may reside with an account manager, for example. The same goes with customer and marketing contracts, which will have to change to reflect the new data regulations.
Procurement – protect against third parties
Your procurement officer should make sure that any third parties used to process personal data that you control are GDPR compliant.
As the data controller, you must also have steps in place to protect your data in the event of a third party processor losing or compromising your data through, for example, cyberattack. Your procurement team needs to know how such an event would be communicated to your organisation.
If you have outsourced your IT, make sure that the company has GDPR compliant processes and systems in place to manage your data securely.
Marketing & Advertising under GDPR
Your marketing team needs to take a good look at data collection (for example, rules around consent are much tighter), retention and processing.
Facilities and GDPR compliance
IT is only part of your security obligation. You also have information management responsibilities which are contingent on the physical aspects of your business. For example, are your buildings secure? How do you go about disposing of devices that may contain personal data, like old laptops?
Training in GDPR
Your staff must be trained in their new responsibilities under the GDPR so that they understand how data should be managed. This includes what to do in case of a suspected data breach or loss.
If you don’t have in-house GDPR experts, Me Learning provides a series of role-specific online training courses in GDPR, which you can check out here.