12 Sep General Data Protection Regulation May 2018: A Preparation Checklist
Data Privacy – How Will the General Data Protection Regulation (GDPR) Affect Personal Data Processing?
The new General Data Protection Regulation, the GDPR, comes into effect next May. It’s set to have an impact on every organisation that processes personal data. When do you need to start thinking about it, and what can you do right now to prepare your company in good time?
The first question has a simple answer. Time flies, and it makes a lot of sense to get your house in order now, or at least make a start so you’re not caught on the hop in 2018. On the bright side some things haven’t changed much. If you already comply with current rules, you will probably comply with most of the new ones. On the other hand there are a few key extras and enhancements, mostly concerning additional documentation. This means that organisations that process personal data will have to put new procedures and processes in place and do a few things slightly differently. Additionally, find out what GDPR means for global information security here.
Here’s advice from the UK Information Commissioner’s Office, released in May 2017.
Your early-bird GDPR checklist
First of all, it’s important to ensure that senior people know that the law is changing in May 2018, and understand the likely impact. It also seems sensible to formally note down the personal data you hold,
where it comes from, and who you currently share it with. If you think you might face issues of any kind under the new rules, it’s better safe than sorry to get a proper information audit done, by someone qualified to do so.
One of the most effective way to prepare yourself is to study the new Data Protection by Design and Data Protection Impact Assessments, reading and digesting the ICO’s new code of practice on Privacy Impact Assessments and figuring out how and when to implement the guidance given in the Article 29 Working Party.
Are you clear on the individual’s rights as regards their personal data? If not, now’s the time to familiarise yourself with the dos and don’ts. Check your company’s current procedures to make sure they dovetail with the rights people have under the law, including processes for providing data electronically, and how and when you delete it.
The individuals you hold data about have the legal right to access that data. Do your existing procedures allow you to handle such requests in a timely fashion under then new rules, and are you prepared to
provide any additional information that people are within their rights to ask for?
You absolutely must have a proper, lawful basis for processing personal data, which also means documenting it according to the law and keeping your privacy notice up to date, a document that should clearly explain the basis on which you’re processing it. And it’s vital to confirm that your business is working within the law as regards seeking, recording and managing all the required legal consents, making changes if you need to. If your current consent process doesn’t meet the new GDPR standard, you need to change things so it does.
What happens if you suffer a data breach? It’s your job to ensure you put compliant procedures
in place to detect, report and investigate when something goes wrong. And it’s vital to decide early enough whether you need fresh systems to verify the age of individuals, seeking parental consent or the consent of a child’s guardians before processing their data.
Last but not least, any organisation that operates across more than one EU nation and processes data across borders should pin down which is their lead data protection supervisory authority, details of which you’ll find in the Article 29 Working Party guidelines.
Appoint your own Data Protection Officer – Or let us act on your behalf
The ICO suggests it’s a good idea to name a Data Protection Officer within your organisation, someone who is prepared to take responsibility for compliance. This could prove tricky for very small businesses who process personal data, simply from a resource perspective. Luckily we can take over that role on your behalf, acting as your expert data protection partner.
Find out what the penalties are for GDPR non-compliance here. In fact we can take GDPR compliance over for you, ticking all the right boxes to ensure you comply, saving you time, hassle and effort. Contact us for details, or to have a no-obligation discussion about how we can help your organisation stay within the new laws.