There are steps that you can take now to prepare for the General Data Protection Regulation (GDPR), in advance of it coming into force on 25 May 2018. The checklist below highlights 12 steps that you can take now to prepare for GDPR.
The new General Data Protection Regulation (GDPR) legal framework is the biggest change to data privacy legislation in over 20 years. Digital advancements over this time have meant that consumer data is created, collected and stored within seconds. It is more important now, than ever to have clear laws and safeguards in place, given the growing digital economy and associated cyber security risk. The new rules will cause significant disruption to how organisations store, manage and process personal data, with significant penalties for those who don’t comply.
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the General Data Protection Regulation (GDPR). They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.
Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.
The GDPR requires you to maintain records of your processing activities. You should document what personal data you hold, where it came from and who you share it with.
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Many organisations will not have thought about their lawful basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your lawful basis for processing their personal data.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to 13 in the UK). If a child is younger then you will need to get consent from a parental or guardian.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments (PIA) as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
GDPR makes PIAs, also referred to as ‘Data Protection Impact Assessments (DPIAs) mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Its important to consider whether you are required to formally designate a Data Protection Officer. You must designate a DPO if you are:
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority and document this.
The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or the location where decisions about the purposes and means of processing are taken and implemented. The Article 29 Working Party guidelines will help you do this.