GDPR 10 Essential Steps to Take Now
The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018
Organisations that have day-to-day responsibility for data protection must be 100% compliant from day one.
To help organisations prepare for GDPR, we have put together 10 simple steps to take now to avoid fines.
1. Communication
Internally
Raise awareness and ensure you communicate GDPR to all key decision makers and key people in your organisation, especially those who handle personal data.
They need to be made aware that the current Data Protection Act is changing to the GDPR effective
25 May 2018
Some parts of the GDPR will have more of an impact on some organisations than on others, so you need to establish which parts of the GDPR will have the greatest impact on your business model and treat those areas as high priority in your planning process.
The ICO (Information Commissioner’s Office) is constantly producing new guidance and other tools to assist organisations stay up to date with GDPR, available at:
Regular communication about GDPR to keep staff updated will help to identify any areas within your organisation that may be at risk of non-compliance, giving an opportunity to take early action to reduce the impact to your organisation.
Externally to individuals
Under the GDPR there are extra things you have to tell people in addition to providing a privacy notice that contains information, such as your identity and how you intend to use personal information.
Now you will need to explain your legal basis for processing the data, your data retention periods and that individuals now have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
GDPR also requires the information to be provided in concise, easy to understand and clear language.
The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.
2. Personal data
Carryout out an inventory or internal audit of what personal data you currently hold.
Document where it came from, how long you’ve had it, and who you share it with.
If you share personal data with other organisations, it’s important that you can prove that the information held is up-to-date and accurate.
Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically, in a commonly used, and machine readable format, and provide the information free of charge.
The main rights for individuals under the GDPR will be:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling
These rights may be revised, so regularly check ICO’s GDPR website page
Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles.
3. Planning
Once you’ve reviewed your existing privacy notices, policies and procedures, you need to put in place plans for making any necessary changes in time for GDPR implementation.
Perform impact, and risk assessments to identify any dependencies, issues with resources, or current infrastructure, this will enable you to manage time frames, and costs.
You need to plan and update your procedures accordingly on how you will handle subject access requests within the new timescales.
Currently organisations have 40 days to respond, the new rules means you now have a month to comply.
You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy.
You must do this without undue delay and at the latest, within one month.
Communicate how you’re going to implement plans, and any necessary changes internally to ensure everything is in place, and personnel are fully aware of any new policies and procedures, to ensure compliance from day one.
Download full article GDPR 10 Essential Steps to Take Now