"So now is a good time to start thinking - if you haven't been doing so already - about what you could do proactively to minimise the opportunity for your organisation to be penalised for breaching personal data."
The regulators aren't the only people monitoring data use. Privacy activists are also growing in influence and will be watching out for any breaches. They will want to know where data is, what it is being used for, who has it, for how long they're going to keep it. Breaches could also lead to civil suits resulting in significant fines and legal costs of their own.
Websites should have appropriate privacy notices backed with DPIAs to tell people clearly and transparently what will be done with their data.
Specific data protection needs
Organisations that deal with citizen data need to look closely at the basis for consent, their record-keeping practises and methods for data disposal.
"If you're using cloud services, where is that citizen data?" asked Goodwin. "Do you understand that? Do your citizens understand that? Have you told them where the basis for processing is physically going to be?"
Staff also have their own rights under the GDPR. Employment terms and conditions should be revisited to ensure they understand the specific purposes for which their data is going to be processed.
They can also make their own subject access requests. Outsourced services, such as payroll, benefits or external training providers, will mean personal data leaving the organisational boundaries. Organisations also need to know everyone in the supply chain who has access to personal data.
The use of data within all them needs to be controlled and protected, for the benefit of both your organisation and the general public.
Sign up for Computerworld eNewsletters.