12 Preparations to Help You Comply with the GDPR
The GDPR comes into force on May 25th, 2018. If you have not started preparations already, now should be your time to act. Most of the main concepts and principles of the GDPR are similar to those set in the current Data Protection Act. Therefore, if you comply with the current law then this can be a starting point to build from. With that said, there are still significant changes you will need to make to ensure your business is GDPR-compliant.
Listed below are 12 preparations your organisation needs to make now to get GDPR-ready.
12 Steps to Take
1. Be accountable for data – Organisations should document what personal data they hold, where it is from and who it is shared with. You should be accountable for the records held and organise an information audit too.
2. Spread awareness of the GDPR – It is crucial that key people and decision makers in your business are aware of the GDPR and the impacts of it. Leaving this until the last minute may make it harder for your organisation to comply.
3. Ask for customer consent – The GDPR requires organisations to have a system in place where individuals have the option to consent to their data being processed. You should review how you record, control and ask for consent, then make the required changes.
4. Prepare for a Data Protection Impact Assessment (DPIA) – A DIPIA is required in situations where data processing will most likely result in high risk to individuals. Therefore, you need to assess in what situation this would be necessary to carry out.
5. Cover all the individual rights – Before the GDPR comes into force, check your procedures to ensure they cover all the individual rights. In a nutshell, the rights of individuals are the same as those under the current Data Protection Act but with some significant improvements. To see the GDPR’s rights for individuals, see this ICO document.
6. Update your procedures to handle requests – Organisations should look at how they currently handle subject access requests. Then, update them accordingly with the new GDPR rules.
7. Have a lawful basis for processing data – You will need to identify and explain your reason for processing personal data. This reason should be documented and mentioned in your privacy notice.
8. Prepare for any data breaches – You need to ensure that you have the correct procedures in place to find, report and investigate a personal data breach. The GDPR requires all organisations to report any data breaches to the ICO (Information Commissioner’s Office).
9. Consider an age verification system – Start thinking about whether you need to put systems in place to verify an individual’s age. If so, a parental or guardian consent needs to be obtained before any personal data is processed.
10. Designate a data protection officer (DPO) – It is imperative that you designate someone to take responsibility for data protection compliance. Then, you should assess where this role will fit in regards to your business. You must assign a DPO if you are: a public authority; a business which carries out systematic and regular observations of individuals on a large scale; or carries out large-scale processing of special categories of sensitive data. To find out more, see this article.
11. Understand international presence – If your company works in more than one EU state, you need to determine where your lead data protection supervisory authority is and keep a note of it. To establish your lead authority, it is the supervisory authority in the state where your main establishment is. This step is only necessary where you carry out cross-border processing.
12. Update your privacy notes – All companies should review and update their privacy notes in accordance with the GDPR. This information needs to be provided in easy-to-understand, concise language. To see more on what information needs to be included, see the ICO’s Privacy notices code of practice. An example of how your policy should be updated can be seen below:
We comply with the rules set under the European General Data Protection Regulation (GDPR) 2018 when dealing with customer data.
To comply with the GDPR, the foremost thing to do is look at your organisation’s data processes and protection systems. Look at what personal data you collect from individuals, how it is obtained, how it is stored and, how it is shared. This way, you can see which steps your business needs to focus on the most. Moreover, it is compulsory to thoroughly understand the new rights of customers in accordance with the GDPR. Take enough time to prepare your business and become GDPR compliant.