Prepare for the General Data Protection Regulation (GDPR) – 12 STEPS TO TAKE NOW

There are steps that you can take now to prepare for the General Data Protection Regulation (GDPR), in advance of it coming into force on 25 May 2018. The checklist below highlights 12 steps that you can take now to prepare for GDPR.

What is the GDPR?

The new General Data Protection Regulation (GDPR) legal framework is the biggest change to data privacy legislation in over 20 years. Digital advancements over this time have meant that consumer data is created, collected and stored within seconds. It is more important now, than ever to have clear laws and safeguards in place, given the growing digital economy and associated cyber security risk.  The new rules will cause significant disruption to how organisations store, manage and process personal data, with significant penalties for those who don’t comply.

12 STEPS TO TAKE NOW

1. AWARENESS

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the General Data Protection Regulation (GDPR). They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.

Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations.

2. INFORMATION YOU HOLD

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.

The GDPR requires you to maintain records of your processing activities.  You should document what personal data you hold, where it came from and who you share it with.

3. COMMUNICATING PRIVACY INFORMATION

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.

4. INDIVIDUALS’ RIGHTS

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

The GDPR includes the following rights for individuals:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object; and
• the right not to be subject to automated decision-making including profiling.

On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted

5. SUBJECT ACCESS REQUESTS

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.

6. LAWFUL BASIS FOR PROCESSING PERSONAL DATA

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Many organisations will not have thought about their lawful basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your lawful basis for processing their personal data.

7. CONSENT

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.

8. CHILDREN

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to 13 in the UK). If a child is younger then you will need to get consent from a parental or guardian.

9. DATA BREACHES

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

10. DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS

You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments (PIA) as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

GDPR makes PIAs, also referred to as ‘Data Protection Impact Assessments (DPIAs) mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals.

11. DATA PROTECTION OFFICERS

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.

Its important to consider whether you are required to formally designate a Data Protection Officer. You must designate a DPO if you are:

• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out regular and systematic monitoring of individuals on a large scale; or
• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

12. INTERNATIONAL

If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority and document this.

The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or the location where decisions about the purposes and means of processing are taken and implemented. The Article 29 Working Party guidelines will help you do this.

For more guidance and information contact Mico Edward Accountants Today: info@micoedward.com