The EU General Data Protection Regulation (GDPR) will come into force across all members states (including the UK) on 25 May 2018. As the EU is the UK’s largest trading zone the UK will still be expected to adopt the GDPR, or something very like it, regardless of the eventual deal reached by UK Government as part of Brexit negotiations. Therefore, it is vital that UK businesses start to prepare for the changes that are coming.
The additional compliance requirements may be viewed as a burden, even costly and disruptive, however regardless of size, businesses should also view GDPR as a great new opportunity to enhance their information security practice from technical, governance and legal perspectives.
To help prepare for GDPR, here are 12 steps that the Information Commissioner’s Office advises that you take now:
1. Awareness – Make sure that senior management and key people in your organisation are aware that the law is changing and the impact GDPR will have on your business.
2. Information You Hold – Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating Privacy Information – Review your current privacy notices and put a plan in place for making any necessary changes ahead of GDPR implementation.
4. Individual’s Rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject Access Requests – Update your procedures and plan how you will handle requests within the new timescales.
6. Legal Basis for Processing Data – Review the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
7. Consent – Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
8. Children – Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
9. Data Breaches – Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Privacy by Design and Impact Assessments – Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11. Data Protection Officers – Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
12. International – If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
If you have any questions or would like to discuss GDPR with us in more detail, please contact Hannah Farmborough or call on 0207 429 4147 to be put in contact with a member of our team.
This article originally appeared on the blog of our member firm, Henderson Loggie.