Five tips for GDPR

After four years of negotiation, the European Union has adopted the General Data Protection Regulation (GDPR). It will come into force in May 2018 – now is the time to prepare.
The EU wants to reform data protection and cut red tape for businesses across Europe by bringing in a single set of rules. In addition, the Regulation aims to protect the rights of European citizens, giving them better control over their personal data.
Here is a basic guide on how to start the compliance process:
1. Begin with an Information audit - If you don’t know what data you have in the business and where it is, you have no chance. Both paper and electronic files will be included under the Regulation which will cause companies some serious problems. If you don’t audit you have no chance of fully complying.
2. Decide what data to keep - The idea of keeping every record “just in case” is no longer valid. A vital part of good data governance is knowing which data is useful and which is likely to have no value – or may even end up costing you money. 
3. Securely destroy unnecessary data - Very few businesses come out with 100 percent following a data audit so there will be remedial work to do. Companies may need to securely destroy unnecessary data stored on paper – for instance data that is no longer needed or has been kept beyond the retention policy date. 
4. Data Protection Officer - Set a budget and oversee the appointment which will be key for larger companies but also for many smaller ones that handle a high volume of personal records. For the latter it may be necessary to outsource the role – and we may well see specialized DPOs covering several clients. Either way it will incur a cost and needs to be budgeted for and driven forward. It is worth noting too, that even for companies which do not require a DPO, the necessity for someone to take ownership of data is still there.
5. Begin staff training and review your information governance framework - Staff training will be crucial to meet the requirements of the Regulation – and to avoid data breaches. With most data breaches stemming from individual error or bad process design the focus should be on ensuring every employee, at every level of the business, understands the importance of data protection. All employees need to be aware, trained and act as responsible information owners.