How to get Ready for the General Data Protection Regulation (GDPR)
The General Data Protection Regulation comes into force on 25 May 2018. There is much for businesses to do in order to get ready. The following steps will represent a good start:
1. Ensure that the decision makers in your organisation know about the new regulations.
2. Designate someone in your business to take responsibility for compliance.
3. Make sure that the individual you have appointed can give good answers, backed up by an evidential trail, if required to do so.
4. Start documenting the data you hold, where it came from and who you share it with.
5. Identify the basis for your processing data. Write it down.
6. Consider a Data Protection Impact Assessment
7. Review your privacy notices. Ensure that you say:
- Who you are
- How you intend to use their data
- What your lawful basis for processing it is
- How long you will retain the data, and
- That the data subject has the right to complain to the Information Commissioner’s Office if there is a problem.
8. Review how you seek consent from data subjects.
9. Check that you have a system for verifying users’ ages.
10. Look at the consents you have now. You do not have to renew every consent.
11. Check how you make a record of each consent and how you manage consents in the future.
12. Check your procedures to ensure that you can fulfil the following rights which data subjects have:
- To be informed what data you are holding
- To access their data
- To rectify data if it is incorrect
- To erase their data
- To restrict processing of their data
- To take their data away. They have a right to receive a copy of their data in electronic form so that they can, for example, load it onto another computer.
- To object to data processing, and
- Not to be subject to automated decision-making.
13. Where you share data with third parties, review your contracts with those third parties. Get those third parties in the agreements to promise that they will handle your data appropriately and will indemnify you for any problems they cause.
14. Look at your procedures for Subject Access Requests. If you do decide to refuse, you must say so within a month.
15. Check that you have procedures in place to detect data breaches.
16. If your business operates in more than one EU member state, check which is your lead supervisory authority.
17. Check your technical measures designed to protect your data security are at the cutting edge of technology.
If you follow all of the above measures, you should be well set for compliance with the new regulation.
For more related articles to this topic click here.