Preparing for the GDPR:
As we all know, the GDPR is happening in less than a year. Having said this, how should you go about preparing for the GDPR?
Many of the GDPR’s main concepts and principles are still similar as those in the current Data Protection Act (DPA). This means if you are complying the current law then most of your approach will remain valid under the GDPR. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. It is important to know the main differences between the current law and the GDPR.
When and how should you prepare?
Firstly, it is essential to plan your approach to GDPR compliance as soon as possible. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business, this could have significant budgetary, IT, personnel, governance and communications implications. The GDPR places greater emphasis on the documentation that data controllers must keep demonstrating their accountability. Compliance with all the areas listed in this document will require organisations to review their approach to governance and how they manage data protection as a corporate issue.
Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.
However, it is crucial to prepare for this as quickly as possible as it’s not only the laws that have changed. The penalty for not complying with these laws have also changed. There is now a hefty fine which may cost you your business. To avoid this, take a look at these 12 steps to avoid the charges!
Every staff member should be made aware of the change in laws and should be aware of what they need to do to meet these laws.
The information you hold –
Your organisation should keep a record of personal data, where it comes from and whom it is shared with. You may need to organise an information audit across the organisation or within particular business areas.
Communication Privacy Information –
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Individuals rights –
The GDPR includes the following rights for individuals:
- Erasure of data.
- Data portability
- The right to object
- Not to be subject to automated decision-making including profiling.
Subject access requests –
You should update your procedures and plan how you will handle requests to take account of the new rules:
- In most cases, you will not be able to charge for complying with a request.
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfounded or excessive.
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
The lawful basis for processing personal data –
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. This detailed guidance can help you with consent.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. This means any child under 16 (may be lowered to 13 in the UK) will need parental consent.
Data Breaches –
Data Protection Impact Assessments – A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
- A new technology is being deployed.
- Where a profiling operation is likely to significantly affect individuals.
- There is processing on a large scale of the special categories of data.
Data Protection Officers –
You should consider whether you are required to formally designate a Data Protection Officer (DPO). You must designate a DPO if you are:
- An organisation that carries out the large-scale processing of special categories of data, such as health records, or criminal convictions.
- A public authority (except for courts acting in their judicial capacity)
- An organisation that carries out the regular and systematic monitoring of individuals on a large scale
This is also a detailed guidance on PIA’s (Privacy Impact Assessment)
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. This is only relevant where you carry out cross-border processing. For example: ie you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states. Finally, this guidance can help identify a controller or processors lead supervisory authority.
With this information, do you think you’re ready for the GDPR to come into effect? It’s never too early to prepare!
We are ISO 27001 certified so your data will always be safe with us!