GDPR Insights: Getting Ready

Twelve steps you can take to get ready for GDPR compliance

The General Data Protection Regulation (GDPR) comes in to force on the 25th May 2018, and the following twelve steps will help organisations comply with the new regulation.

Step 1 – Awareness:  Make sure that decision makers and key stakeholders in the organisation are aware of the changes that will need to take place, and how they will impact themselves and the business.

Step 2 – Information held: Determine what and where personal data is held, where it came from, and who it is shared with.  This will need to be documented in order for an organisation to be compliant, including having clear procedures and policies in respect of handling and the storage of personal data across the organisation.

Step 3 – Privacy Notices: Review current privacy notices, and plan to update them with any changes required for GDPR compliance.  There are some additional notices and clauses that may need to be communicated to customers.  You will need to explain your legal basis for processing their data, your data retention periods and that all individuals have the right to complain to the ICO if they think there is a problem with the way you are handling their data.

Step 4 – Rights of individuals: The organisation will need procedures that cover all the rights of individuals under the GDPR, such as the erasure of personal data, and the right to request a copy of their data in a commonly used format.

Step 5 – Subject Access: You may need to update your procedures to handle the changes to subject access rules, as organisations are required to respond within a month.

Step 6 – Lawful basis:  Review and document the various types of data processing your organisation performs to ensure it has a lawful basis.  Whether that is through consent or contractual necessity, it will effect the way in which personal data can be processed.

Step 7 – Consent: Consent must be explicitly sought and given in order for it to be valid.  It must also be specific and unambiguous.  You will need to review and document how you seek, obtain and record consent, and make any changes as necessary.

Step 8 – Children: The new regulation places particular emphasis on the use of data of minors, and organisations will need to be able to verify individual’s ages, and to gather parental or guardian consent for the use of personal data.

Step 9 – Data Breaches: Organisations will need to ensure they have the right procedures in place to detect, report and investigate a breach that involves personal data.  Under the new rules, every business must report a breach to the ICO within 72 hours, and may also need to notify their customers.

Step 10 – Data Protection by design and impact assessments: The GDPR requires Data Impact Assessments (DPIAs) to be undertaken in certain cirumstances, such as new personal data processing operations that are likely to result in a high risk to the rights and freedoms of individuals.

Step 11 – Data Protection Officer (DPO): Businesses may need to appoint a DPO to take responsibility for data protection compliance if one doesn’t exist already, but this can be an external resource if an organisation doesn’t have the requisite data protection expertise and knowledge to fulfil their DPO obligations under the GDPR.

Step 12 – International: If the organisation operates in more than one EU country, you will need to determine which data protection supervisory authority depending on where the central base of operations is.

By following these twelve steps, you can be confident that your business will be ready for the GDPR, as well as providing the highest standards or data protection for your customers.

Speak to J2 Technology today about how we can help you get ready for GDPR.