The term ‘personal data’ is defined by GDPR as any data record that could potentially identify an individual.
The regulation comes into effect in May 2018, which is fast approaching, and worryingly, many companies still aren’t taking the steps that they need to be prepared.
Many of the main concepts in GDPR are the same as those in the current Data Protection Act, so if you are complying properly with the current law, most of your approach to compliance will remain valid under GDPR and can be the starting point to build from.
As we have already said, GDPR effects everyone. The regulation imposes obligations on companies and defines the rights of citizens to access information related to stored or processed personal data.
Some aspects of the new regulation will have more of an impact on some organisations than others however – like provisions relating to profiling or data held on children. It’s important when planning for GDPR to map out which areas will have the greatest impact on your business, and prioritise those.
Let’s get you on the right path to complying with GDPR by May 2018, starting with the following 10 steps:
You need to ensure that key people within your organisation (including decision makers) are aware that the law is changing around data protection. They need to appreciate the impact that this is likely to have and identify areas that could cause compliance problems under GDPR.
Implementing GDPR could have significant resource implications, especially in larger, complex organisations. You may find compliance difficult if you leave preparations until the last minute.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas. The GDPR also requires you to maintain records of your processing activities as it updates the rights for a networked world.
You need to review your current privacy notices and put a plan in place for making any necessary changes in tome for GDPR implementation.
When you collect data currently, you have to give people certain information, such as how you intend to use their information. Under GDPR you need to explain your lawful basis for processing their data, your retention periods and that individuals have the right to complain to the ICO if they feel there is a problem with how you’re handling their data.
You need to check your procedures to ensure that they cover all the rights that individuals have under GDPR, including:
You should update your procedures and plan how you will handle requests for data under the new laws:
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
You should review how you seek, record and manage consent, and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre ticked boxes or inactivity.
Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals.
You should put procedures in place to effectively detect, report and investigate a personal data breach.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer (DPO).
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
This is only relevant where you carry out cross-border processing – i.e. you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.
The best way to approach GDPR is to be prepared. On 29th June, we are holding two roundtable events in association with The Manufacturer for manufacturing and food manufacturing businesses to explore what GDPR means for them, and how they can get started (amongst other industry topics).
If this is something you would be interested in, please find the full details and agenda here:
Please contact Jessica Hall for more information or to register on firstname.lastname@example.org.