The law is changing, and the General Data Protection Regulation (GDPR) will be in full effect from 25th May 2018.
GDPR is new regulation affecting data protection and the reporting of data protection breaches. This regulation will affect not only those businesses within the EU, but any organisations that deal with EU businesses.
This guide will outline the steps you should be taking within your organisation in order to fully prepare for GDPR, ensuring compliance and correct governance are in place before the deadline.
- Awareness & Preparation
- The first step is understanding where your organisation sits on the path to GDPR compliance. Do the decision makers within your organisation understand what GDPR is and how it will affect business?
- The impact of GDPR needs to be fully realised ahead of the deadline, ensuring a plan is in place for compliance.
- Creating & implementing change: GDPR, both in preparation and as a result of the change, could have significant resource implications—so plan as far ahead as possible.
2. Discover & Assess
- Identify areas within your business that could cause compliance problems under the GDPR; look at how you handle customers' information, and your systems & processes in place around that data.
- When collecting personal data you must provide customers with your identity and reasons for data collection. Under GDPR, you will also have to inform customers how long you intend to keep their data, and make them aware of any complaints procedures. All in an easy-to-understand format: no “legalese”. Click here for complete code of practice.
- You must assess your current processes for GDPR compliance:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making, including profiling.
- Update privacy documents: Under GDPR’s “Lawful basis for processing personal data” organisations are required to explain their reasons for processing customer data, and this must be documented in a privacy notice.
- Consent: Following guidelines provided by the ICO, organisations must review and if required update their processes for obtaining consent: namely, consent must be freely given, specific, informed, and unambiguous.
- Children: When dealing with children under GDPR, you will be required to obtain consent from a parent or guardian if the child is under 16—your current processes may need updating to reflect this change.
- Data breaches: GDPR introduces a duty on all organisations to report data breaches to the ICO—you must have the correct processes in place to deter, report, and investigate personal data breaches.
- Supplier compliance: It is your organisation's responsibility as a Data Controller to ensure that your suppliers are compliant (processes, and software security, etc.).
- Right to be forgotten: Your customers have the 'Right to be forgotten'. Upon request, they have the right to ask that all information held by an organisation to be totally deleted.
- Self-assessment: The ICO have created a tool to help your organisation gauge their compliance with the new regulations, and help create a plan for full compliance.
3. Create your plan
- Data Protection Officers (DPO): Your organisation must nominate certain persons whose responsibility it is to maintain data protection compliance. The DPO reports directly to the Board of Directors.
- Once you have outlined & assessed all the changes required to meet GDPR compliance, and have the required designated persons, you can start to address how your plan is implemented:
- Quick & easy first: updates to policy or privacy documents—easy wins that allow progress to be made whilst the roadmap for larger, longer-term changes is drawn out.
- Your DPO must ensure that all necessary updates are scoped properly: ensuring the plan incorporates adequate resourcing and budget allocation for success.