GDPR Procedures for IT Systems
The changes brought about by GDPR can be overwhelming especially for smaller businesses. It is important however to get to a place as a business where you are able to demonstrate GDPR compliance.
A key principle of the GDPR is the processing of personal data securely by means of appropriate technical and organisational measures’ also known as the security principle’, meaning that you now have a statutory responsibility to process personal information in such a way that it is secure.
Where personal information is stored on electronic systems it is important to check where the servers and other IT equipment used to store the information are located.
In the event of a data breach, you have a statutory duty to report certain types of personal data breaches. You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
The ICO can impose substantial financial penalties (fines of up to 20million Euros/2-4% of your annual turnover) but also issue warnings and reprimands, impose a temporary or permanent ban on data processing, order the rectification, restriction or erasure of data and suspend data transfers.
Bespoke training courses for GDPR Procedures for IT Systems are designed according to the systems implemented and the type of data that is being stored and processed and for what purpose. Courses are effectively broken down into units according to skill level and user roles.
Below are just some of the units which would be included:
o appointing a data protection officer
o adopting and implementing data protection policies both online and offline
o the rights of data subjects
o taking a data protection by design and default’ approach
o putting written contracts in place with organisations for whom you store and process personal data
o maintaining documentation electronically of your processing activities
o Personal Information Management Systems (PIMS)
o implementing appropriate security measures within IT systems
o testing for software vulnerabilities and processes for rectifying
o Dealing with third parties and data in the Cloud
o recording and, where necessary, reporting data breaches
o carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests
o adhering to relevant codes of conduct and signing up to certification schemes