From May 2018, any UK organisation processing personal data will need to demonstrate GDPR compliance. Charities, local government, and all sizes of business need to assess their data management and ensure they meet the requirements set out in the new legislation.
But with such an enormous volume of information on the Internet around GDPR, where do you start? Here, we dissect guidance from the Information Commissioners Office (ICO), and provide a checklist of things to consider when pursuing data compliance for your organisation.
Are key decision makers and managers aware of forthcoming changes in data protection law? Adhering to GDPRcould have significant implications on the way the organisation is run, so the more time available to plan appropriately, the better.
You will need to have a system in place to document what personal data you hold, how you acquired the data and how you’ll use it. Many advise running an information audit as soon as possible – it’ll save you heaps of time working out how the regulation affects you, if you’ve mapped out all the data you hold.
Communicating Privacy Information
Review and update any privacy notices. Under GDPR, individuals need to know exactly what you plan to do with their data once it’s provided. Is this clear?
What procedures are in place when it comes to individuals’ rights? Key elements to consider – how will you delete personal data if requested? Is there a system to do this effectively and efficiently?
Subject Access Requests
How will you process subject access requests and provide information within the new timescales? Will you be able to comply with GDPR?
Lawful Basis for Processing Personal Data
Identify, document and update privacy notices to show how you lawfully process data under GDPR.
Will you need to make changes as to how you will source, record and manage data? Refresh existing consent now, if they don’t already fulfil requirements under GDPR. And what about minors? Are you verifying individuals’ ages and are you securing parental consent when you need to?
It's also worth bearing in mind that the UK's Data Protection Bill will likely reduce the age from which parental consent is not needed to process data online, to age 13.
It will become a legal requirement to report any data breaches efficiently, within a new timeframe (72 hours). What are your plans to detect and report any personal data breaches, should they happen? You’ll need to know, and be prepared to act if a breach occurs.
Data Protection by Design and Data Protection Impact Assessments
Make sure you understand the ICO’s code of practice when it comes to Privacy Impact Assessments.
Data Protection Officers
Depending on the size of your organisation, consider if you need to formally employ a data protection officer.
GDPRisn’t far away now – there’s only 8 months to get your data in order. Here we’ve provided a snippet of what organisations will need to consider, but for more detailed, informative instruction why not take our GDPRe-learning courses?
Developed in partnership with data security legal experts, Clayden Law, the online courses provide details of what organisations need to implement and when, tailored to the different key levels of knowledge required, from board level training through to training for receptionists.