Guide to GDPR
The 25th of May is the date that GDPR will become applicable across Europe. We have put together a checklist to make sure your business is prepared:
- Have you educated yourself as to what changes GDPR is bringing about (e.g. by attending a GDPR training/information session)?
- Are you aware of exactly what data you collect and process?
- Have you educated your staff in relation to how GDPR will impact on their role?
- Have you an internal procedure in place to deal with Data Access Requests?
Lawful, fair and transparent processing
- Do you have a legal basis for collecting all data?
- Where consent is relied upon is the consent adequate under GDPR?
- Was the consent freely given?
- Was the consent informed (i.e. was the data subject aware of the purpose for which it was required)?
- Can you prove consent if required to do so?
- If the consent you currently hold is not adequate under GDPR, have you re-sought consent?
- Is a process in place to allow for the withdrawing of consent?
- Is data only used for the purpose for which it was originally collected?
- Do you only hold data that you genuinely require and is relevant?
- Where irrelevant data has been identified, has a process been put in place to erase?
- Can you be sure data that you have collected is accurate and up to date?
- If not, is a process in place to ensure that this data is updated?
- Is a process in place to ensure personal data is kept up to date going forward?
- Is there a process in place for ensuring necessary changes can be made without delay?
- Is data only being retained for as long as is necessary?
- Do you know what types of data have legislative retention periods?
- For data that is not subject to a legislative retention period, have you given careful consideration to how long it will be retained for?
- Are data subject aware how long their data will be retained for?
- Is a process in place to ensure there is no unnecessary duplication of data?
Integrity and Confidentiality
- Is a process in place to prevent loss of data?
- Is a process in place to prevent unintended/unauthorised destruction of data?
- Is a process in place to prevent unauthorised access/disclosure of data?
- Is a process in place to prevent unintended/unauthorised alteration of data?
- Is data only accessible by those who require access to it?
- Have you accessed the risks involved with the data that you collect and put a process in place to mitigate these risks?
- Do you have a Data Security Policy in place?
- Do you have an incident response policy in place?
- Have you collated a Data Inventory outlining a complete list of all data you collect?
- Do you have a Data Protection Policy in place?
For more information please read ISME's guide to GDPR:
Become part of Ireland’s biggest business networkJOIN ISME