You will be aware by now that the General Data Protection Regulation (GDPR) will need to be in place by 2018 for any company that wishes to do business in the EU. As the UK’s leading MIMIX for IBM iSeries Installation and Support Consultancy we have had questions from a number of customers’ IT departments about what they should be doing. We have also been looking at this closely for our own business.
The bottom line is we’re all going to need to collect, store and use personal information more securely and if you have not started addressing this yet, you will potentially, have a lot of the compliance work to get through in what remains of 2017.
We’ve reviewed a number sources and complied a summary checklist for GDPR. You would be well advised to be making significant progress with the list by the middle of 2017.
GDPR Check List
1. High Level Awareness
Executives, IT staff and compliance managers need to be aware of what GDPR requires. Employees at all levels of the organisation need to be extensively educated on the regulation’s importance and what it will mean to them.
2. Personal Data Inventory
Make an inventory of all the personal data you hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How is it secured, both in terms of encryption and accessibility? Do you share it with third parties and on what basis might you do so? The data inventory will need to include backup systems for companies running IBM iSeries and MIMIX
3. Privacy Communications
Communicate with staff and service users. Review current data privacy notices alerting individuals to the collection of their data. Look for the gaps between the level of data collection and processing the organisation does and how aware customers, staff and service users are.
4. Review Procedures That Deliver Privacy Rights
Ensure privacy rights are protected. Review procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically. For companies using MIMIX, data which is deleted from the live system can be automatically deleted from the backup system, simplifying this issue.
5. Review Access Rights
Review how access rights could change. Check and update procedures and plan how requests within new timescales will be handled. Right to access to means that robust DR or HA solutions will need to be in place. Companies that run their business on iSeries with MIMIX HA, will have few worries in this area.
6. Legal Small Print
Make sure you understand your own legal small print. You should look at the various types of data processing you carry out, identify the legal basis for carrying it out and document it.
7. Bullet-Proof Customer Consent
Make sure customer consent is bullet-proof. You should review how consent is sought, obtained and recorded when recording personal data.
8. Extra Care with Children’s Data
Be sure to take extra care with children’s personal data. If you process data from minors, you must ensure systems are in place to verify ages and gather consent from parents/guardians.
9. Reporting Breaches
Plan how you will report breaches. You must ensure procedures are in place to detect, report and investigate a personal data breach. It is wise to assume a breach will happen at some point.
10. Data Protection Impact assessments
Make sure you understand Data Protection Impact Assessment (DPIA) and Data Protection by Design and Default. DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will help you to identify potential privacy issues before they arise, and develop a mitigation strategy.
11. Appoint Data Protection Officers
Make sure that someone in the organisation takes responsibility for data protection compliance and understands the responsibilities in detail. You could outsource this to and external consultant.
12. GDPR Compliance
Make sure you understand who you answer to regarding GDPR. Multinational companies will be entitled to deal with just one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.
If you run your business on IBM iSeries and having highly available data is becoming a requirement, please feel free to contact Mynah Bird IT to see how we can help.