The General Data Protection Regulation (GDPR) will come into effect from May 2018 replacing the existing data protection framework.
TOP 10 TIPS TO CONSIDER:
1. Have you created awareness?
Staff should be made aware that the law is changing to GDPR. They need to appreciate the impact that this will have and how the company will need to plan to meet those commitments and evidence of compliance.
2. Have you nominated someone to be responsible?
You should nominate someone to be responsible for data protection compliance and assess where the role will sit within your organisation's structure and governance arrangements.
3. Do you know what information you hold?
You need to document what personal data you hold, where it came from, consent received and who you share it with. You may need to organise an information audit to do this.
4. Are your privacy notices sufficient or do you have any?
You need to review your current privacy notices and put a plan in place for making any necessary changes in time for the GDPR implementation deadline.
5. Can you facilitate the rights of individuals?
- Check your procedures to ensure they cover all the rights of individuals have, including how you would document your processing activities.
- Clearly document all the data you hold.
- Provide data electronically and in a commonly used format (portability).
6. Can you handle subject access requests?
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
7. How do you handle or obtain consent?
- You should review how you seek, record and manage consent and whether you need to make any changes.
- Refresh existing consents now if they don't meet the GDPR standard.
8. What do you do if there is a data breach?
You need to ensure you have the right procedures in place to detect, report and investigate a personal data breach.
9. How do you implement or evidence Privacy by Design and perform Data Privacy Impact Assessments (DPIA)?
You need to familiarise yourself with the various code of practice on Privacy Impact Assessments as well as the latest guidance from Article 29 Working Party, and work out how and when to implement them in your organisation.
10. Is your organisation an international organisation?
If your organisation operates in more than one EU member state (i.e. you carry out cross border processing), you should determine your lead data protection supervisory authority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.