We are under a month away from the General Data Protection Regulation (GDPR) coming into effect. If you haven’t done anything to prepare yet now is definitely the time to act. If you are still unsure on what you need to do the ICO have put these 12 steps together to guide you through the process, we have summarised them for you below.
Step 1: GDPR Awareness
GDPR could have a significant impact on your organisation and it is important that everyone within your organisation is aware that the law will be changing on May 25th. Make sure that you identify the areas most likely to be affect and ensure that the staff in those areas are well trained in what will change and any new processes that need to be put in place. This can take some time so don’t leave it to the last minute.
Step 2: Know What Information You Are Holding
The new regulation requires you to record what personal data you hold, where it came from and if you share it with any third parties. You also need to ensure that your data is accurate and up-to-date. If you do not already have a record in place you may need to perform a data audit and put processes in place to ensure that all details are recorded moving forward. This will help you prepare for the GDPR’s accountability principle which requires you to have effective policies and procedures in place to comply with the new regulations.
Step 3: Communicate Your Privacy Policy
By now you have no doubt been inundated with companies asking you to review their new data privacy policies. This is due the changes that they have had to make to their policies in time for the GDPRs implementation next month. In addition to the normal details that need to be included within your privacy policy, such as your identity and how you intent to use their data, you will also now need to incorporate some additional information including the lawful basis for processing their data. You can find out more about this in the ICO’s Privacy notices code of practice.
Step 4: Ensure you have Individuals’ Rights covered
The GDPR includes the following rights for individuals:
• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object; and
• the right not to be subject to automated decision-making including profiling.
Do you have processes in place already that can cover all of the Individuals’ Rights? If not now is the time to update your policies and procedures. You should also check whether your current data systems are able to support you should any requests be made by any of your data subjects.
Step 5: Requests for Data Access
Part of the GDPR is the amendment of the rules around subject access request. You need to ensure you have suitable procedures in place to handle these requests appropriately. ICO give the following guidance:
• In most cases you will not be able to charge for complying with a request.
• You will have a month to comply, rather than the current 40 days.
• You can refuse or charge for requests that are manifestly unfounded or excessive.
• If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
Step 6: Lawful basis for processing personal data
This is a really important step in your GDPR preparation. If you have not yet thought about the lawful basis for you processing a subject’s personal data, you need to identify what this is and ensure you incorporate it in your privacy policy. Under the GDPR some of the individuals’ rights will be modified depending on what your lawful basis for processing is. You will need to ensure that this is well documented to help you comply with the GDPR’s accountability requirements.
Step 7: Manage Consent
How are you currently gaining, recording and managing consent? The ICO has put together some detailed guidance on consent under the GDPR which should be reviewed and implemented. If your current consents do not meet the GDPR standards it is recommended to refresh them now. As a general principle consent should be:
• Freely given
• Specific
• Informed
• Unambiguous
• Gained by Positive Opt-In
Step 8: Children’s Data
The GDPR will introduce special protection around children’s personal data for the first time. Depending on the type of customers you have you will need to consider whether you will need to verify individuals’ ages and obtain parental or guardian consent. If you are collecting children’s data in any format you must ensure that your privacy notice is written in a language that a child would understand.
Step 9: Data Breaches
Do you know what to do if your organisation suffers a data breach? There are specific requirements that will come into effect with the GDPR on 25th May. You will need to ensure that you have the correct procedures in place to detect, report and investigate any personal data breaches. Depending on the severity of the breach you will need to notify the ICO and potentially the individuals whose data has been affected. Failure to report a breach can carry hefty fines on top of a fine for the breach itself.
Step 10: Data Protection by Design
According to the ICO ‘It has always been good practice to adopt a privacy by design approach
and to carry out a Privacy Impact Assessment (PIA) as part of this.’ The introduction of the GDPR will make this an express legal requirement. Under certain circumstances, where data processing is likely to result in a high risk to individuals, a ‘Data Protection Impact Assessment will also become mandatory.
Step 11: Data Protection Officers
Not all organisations are required to formally designate a Data Protection Officer (DPO) however it is highly recommended. There are some organisations in which this is a mandatory role and you should check the GDPR guidelines.
Step 12: International
As the GDPR will cover the whole of the EU there will be new rules in place around cross-border processing. If your organisation operates in more than one EU member state you should determine a lead data protection supervisory authority. The Article 29 Working party has produced guidance on identifying a controller or processor’s lead supervisory authority.
Qlic has helped many organisations prepare for the upcoming GDPR with provision of online awareness training courses for staff, Cyber Essentials certifications and GDPR consultations. If you would like to find out how we can help your organisation prepare get in touch with us today on [email protected] or 02039043464.