Stay up to date with our latest news and insights
Supporting description on the types of content that feature in the blog.
With The General Data Protection Regulation (GDPR) coming into force on the 25th May 2018, it might feel like the clock is ticking but you’re not sure what to do about it.
Replacing the current data protection directive, the GDPR is designed to modernise rules governing the storage and use of personal data.
There are some key new rules that include being able to demonstrate your compliance with GDPR, new breach notification procedures and how personal data differs from the current regulations.
With the new regulations coming into place in less than a year, it’s important not to leave it too late to start preparing the company for the changes, here are twelve steps to start taking - today:
- Raise awareness
Make sure all stakeholders and decision makers in your organisation are aware of the GDPR. If mention of those four letters draws blank faces, point them in the direction of the ICO’s website.
Consider also sharing relevant information with department managers who can influence the their teams and spread the word.
- Document the data you currently store
What personal data - if any - does your business currently hold? Where did it come from and who is it shared with? Document everything you know about personal data storage and usage in your organisation.
When carrying out this process, consider the document processes you have in place. What are people printing and filing separately? Are employees storing data they shouldn’t be? Make sure you’re aware of how to protect the documents you do have.
- Review current privacy notices
If you store personal data in any form, you should already have privacy notices in place on the platforms that gather the information. Review them and seek expert advice to ensure they comply with GDPR rules.
- Check individual’s rights
Your procedures will need to be checked to ensure they cover all the rights individuals will have under the GDPR. This extends as far as how you delete personal data, where it is shared and the formats used (for example - is it reproduced in print?).
- Consider data access requests
Under GDPR, people are given far greater control over how they can request access to their data. You’ll need to respond quickly and in the right manner, which means your procedures for subject access requests may need to change.
- Review the lawful basis for processing personal data
The GDPR demands that businesses have a lawful basis for processing personal data. You need to identify what that is in your business, document it and update your privacy notices to take account.
- Refresh your existing consents
When collecting personal data under the GDPR, the way in which consent is sought, recorded and managed is of paramount importance. Refreshing your existing consents may be required.
- Take into account child data
If you store data relating to children, you’ll need systems in place that verify their ages and obtain the correct level of parental consent for any data processing activity.
- Sure-up defences
Unsurprisingly, the GDPR pays significant attention to data breaches and the steps that must be taken to mitigate them. That means you’ll need the right procedures in place to anticipate, deter and report any personal data breaches.
- Familiarise yourself with Privacy Impact Assessments
The ICO’s code of practice on Privacy Impact Assessments plays a big role in the GDPR. Familiarise yourself with it, but also pay attention to the Article 29 Working Party.
- Assign a data protection officer
You’ll need to assign someone the task of taking responsibility for GDPR compliance in your organisation. Make sure the role sits within your business’s governance arrangements but also consider if you’ll need to formally designate a Data Protection Officer.
- Assess international implications
If your business operates in more than one EU member state (i.e. during cross-border processing), you’ll need to use Article 29 to determine your lead data protection supervisory authority.
There’s no escaping the GDPR, and Britain’s looming exit from the European Union won’t soften the requirements for businesses in this country, either. Follow our steps above, and you’ll be on the right path to compliance.
