If your company already complies with the Data Protection Act (DPA) then you have a firm foundation for meeting the new EU General Data Protection Regulation (GDPR). In order to adapt your practice to meet regulatory changes and to gain support from managers in your organisation, it’s a good idea to start preparing now. These twelve steps draw upon ICO’s official guidance.
Educate your managers about impending changes. Gain their support by communicating the benefits of the GDPR. Carry out an audit of your existing systems to identify areas that need adapting for the GDPR and the resources that will be required. If your organisation has a risk register then that’s the best place to start.
Only hold data that’s absolutely necessary. The GDPR requires you to be thoroughly accountable for the personal data that you hold. For example, if you have passed inaccurate data on to another organization you have to update them, but to do so you must know the original source. Analyse personal data by considering:
Your current ‘privacy notice’ tells people your company’s identity and how you use their personal information. As the GDPR gives people more control over their data there is more for you to communicate to them. Moreover, under the GDPR, it’s mandatory to inform people about their additional rights in a clear, concise manner. This information must include how they can complain to the Information Commissioner’s Office (ICO) if they believe you have been negligent.
The rights people have under the GDPR are similar to those under the DPA but with significant enhancements. Check that your procedures provide individuals with the right…
At the moment you can charge people to access their data, but the GDPR will discontinue this practice. If somebody asks to view their data you must comply within one month and without charging an administration fee. You can, however, refuse or charge for requests that you believe are excessive but you must explain your reasons to the individual and the ICO. If your company is likely to have many requests for information you will need to consider the logistics.
The GDPR requires you to have a privacy notice to tell people your legal basis for processing personal data. Although the lawful bases in the GDPR are similar to the DPA, many companies won’t have considered them much since they don’t have many practical implications. However, under the GDPR some individuals’ rights depend upon the lawful basis for processing their personal data. For instance, people have a right to have their data deleted where their consent is the only lawful basis you can evidence.
How do you currently seek, record and manage consent? Check that you meet the GDPR standard by reading the ICO’s consent guidance. Consent must be proven with a positive opt-in and it cannot be inferred by silence. You need to be able to prove that you have consent. You will also need to show that you make it easy for people to withdraw their consent at any time.
The GDPR provides extra protection of children’s personal data especially in terms of social media. Under the age of 16 the GDPR requires parent or guardian consent to hold such data (the UK may lower this age to 13). You must be able to verify that consent has been given. If applicable, your privacy notice must be written in language that children understand. It’s best to hold children’s data only if absolutely necessary.
Can you demonstrate that you have the procedures in place to detect, manage and report a personal data breach? The GDPR requires all organisations to report data breaches that risk the rights and freedoms of the individual. Unless the information is anonymised or encrypted, you must notify the ICO and the individual.
Breaches must be reported within 72 hours. Failure to report a breach could result in a fine in addition to a fine for the breach itself.
The GDPR makes it mandatory to have a DPIA where data processing is risky for the individuals concerned. This could be where:
If you cannot address those risks then you are required to consult with the ICO. Prepare now by assessing which situations could arise that require DPIAs. Who will conduct the DPIA? Familiarise yourself with the ICO’s DPIA guidance.
Organisations that process sensitive personal data on a large scale will be required by the GDPR to designate a DPO. Even if your company isn’t formally required to have a DPO it is still wise to give one person overall responsibility for GDPR compliance. In this instance, instead of employing somebody specifically for the role you could hire an external data protection advisor.
Does your company operate in more than one EU state? If so, in which country do you make your most important decisions about data processing? If the answer is the UK then your data protection supervisory authority is ICO. If it is a country other than the UK then you must determine which data protection supervisory authority is your lead. For guidance on identifying your lead, visit Article 29 Working Party.