Last Tuesday, we ran an event, in conjunction with the Sport and Recreation Alliance, Gateley plc, Howden and Sport:80, focused on the impact the GDPR will have on the sport and recreation industry. The event was held at the Nottingham Conference Centre and over 150 delegates where in attendance to learn about the steps they need to take to get ready for next May.
Any organisation that collects, stores, uses or shares personal data will be affected by the GDPR and needs to ensure compliance with the regulation before enforcement begins on 25th May 2018. Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
There is no distinction between a person’s private, public, or work roles and examples of personal data include, but are not limited to:
- Home address
- Work address
- Telephone number
- Email address
- Passport number
- National Insurance number
- Driver’s license
- Medical records
- Bank details
- Credit/Debit card numbers
- Social media posts
- Location data
Our approach when helping organisations and companies prepare for the GDPR is based on four key pillars
Inventory your organisation’s data to understand which data is personal, where it resides, why is it collected, how is it processed and shared, and how long is it retained.
Effectively managing your data involves data governance and data classification. A data governance plan can help you define policies, roles and responsibilities when using personal data. Adopting a classification scheme can help when responding to data subject requests.
The GDPR imposes strict rules on organisations when it comes to information security. It requires your organisation to take appropriate technical and organisational measures to protect personal data from loss or unauthorised access or disclosure.
One of the most important aspects of the GDPR is the accountability principle. Your organisation will need to be transparent about how you handle personal data and maintain documentation that defines your processes and use of personal data.
Recommended actions and next steps
At the event we highlighted the importance of taking action now and to start preparing the organisation for compliance with the GDPR. It’s better to do something rather than nothing!
The ICO supports support the UK government’s Cyber Essentials scheme. This will help your organisation implement basic security measures to protect itself from the most common forms of cyber attack and security breaches. You can register for a Cyber Essentials assessment by one of our security experts here.
Follow the above four stage process to understand the full impact the GDPR will have on your organisation and the steps necessary to ensure compliance.
Carry out Data Protection Impact Assessments (DPIAs) on existing and new systems used by your organisation to identify, assess and mitigate privacy risks with data processing activities.
Regularly visit the ICO’s website to keep abreast of the various new and resources available to help your organisation prepare for next May- there is a lot of help available to you.