Val Surgenor presents her 12 steps for your organisation to prepare for the new General Data Protection Regulation
The new General Data Protection Regulation (GDPR) will bring about the greatest ever reform of current laws on data protection on 25 May 2018.
The Information Commissioner’s Office has issued guidance on the 12 steps to GDPR compliance, and here we will look at the steps your organisation should be taking now to ensure compliance before 25 May 2018.
You should be actingnowto ensure your organisation is GDPR compliant. There’s less than one year to go and implementation of the GDPR within an organisation could involve significant resources and planning – it’s never too early to be prepared!
2. Information you hold
The GDPR requires you to maintain records of all data processing activities. It’s important for organisations to review their data, where this came from, how long they’ve had it, and the legal basis for processing.
3. Communicating privacy information
You should review your organisation’s privacy notices and make the necessary amendments to ensure GDPR compliance. The ICO has developed a code of practice for privacy notices which organisations can use to ensure GDPR compliance.
4. Individuals' rights
You should check your procedures to ensure they cover all the rights individuals have. Some of these are new under GDPR:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right not to be subject to automated decision making and profiling
5. Subject access rights
You should update policies and procedures in place to deal with subject access requests to ensure you can comply within the new one month deadline.
6. Lawful basis for processing personal data
You must review the legal bases used for processing personal data to ensure this is still relevant and will be GDPR compliant.
Where your organisation relies on consent, you should read the ICO guidance, as this legal basis is undergoing the most change under the GDPR.
Under the GDPR, for the first time, children’s personal data will be specially protected where organisations offer online services directly to children. You should ensure you have processes and mechanisms in place to verify the age of users and seek parental consent for children under 13 (in the UK).
9. Data breaches
In certain circumstances organisations will only have 72 hours from discovery of a breach to notify the relevant data protection authority of the breach. Organisations will also have the obligation, in certain circumstances, to notify data subjects directly if the data breach is likely to result in high risk to their personal data.
10. Data protection by design and data protection impact assessments
Privacy Impact Assessments will be required where processing is likely to result in high risk to individuals, e.g. where rolling out new technology, where profiling occurs or where processing is conducted on a large scale. The ICO and the Article 29 Working Party have released guidance on this issue.
11. Data Protection Officers (DPOs)
Organisations should evaluate whether they require to appoint a DPO under the GDPR.
If your organisation operates in more than one EU member state, you should identify the lead supervisory authority.
With less than a year to go, your organisation should be assessing and reviewing the above areas to ensure GDPR compliance by 25 May 2018.
Val Surgenor is a partner at MacRoberts LLP.