The EU’s data protection legislation, the General Data Protection Regulation (GDPR), will take affect in May 2018. The GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK.
It will ensure that all personal data has to be managed in a safe and secure way, has to be gathered lawfully, is only used for the purposes for which it was collected, and must be accurate and up-to-date.
Is your business prepared for the General Data Protection Regulation (GDPR)? Here are 12 steps to help you take action now:
- Awareness - Ensure that all decision makers and key people in your business are aware that the law is changing to the GDPR. It’s important you make them aware of the impact this may have.
- Information - It is important to document any personal data you hold, including where it came from and who you share it with. Consider organising an information audit.
- Communicating privacy information - Review your current privacy notices and implement a plan for making any necessary changes to it in time for GDPR implementation.
- Individuals’ rights - Evaluate your procedures to confirm they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests - Update your procedures and implement a plan for how you will handle requests within the new timescales and provide any additional information.
- Legal basis for processing personal data - Analyse the various types of data processing you carry out as a business and identify your legal basis for carrying it out and document it.
- Consent - Carry out an audit into how are you seeking, obtaining and recording consent? It is important you understand it in order to make any changes to this process.
- Children - Consider implementing a system to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- Data breaches - Make certain you have the necessary measures in place to detect, report and investigate a personal data breach.
- Data Protection by Design & Data Protection Impact Assessments - The ICO has produced guidance on Privacy Impact Assessments, familiarise yourself with it and work out how and when to implement them in your business.
- Data Protection Officers - Designate a Data Protection Officer to be accountable for data protection compliance. Consider the position of this role within your business structure and governance measures.
- International - If your business operates internationally it is important to identify which data protection supervisory authority you come under
GDPR is not just about technologies: it's as much about process design and procurement. However, some elements can only be enabled or managed through technology.
Our Technology Services division can help businesses and guide them towards what technology they really need to invest in to be prepared and compliant.