No matter how agile a business is, making changes internally takes time. And with something like GDPR, one may feel that the clock is ever ticking… because it is. If you are one of those organisations that takes longer than a few months to implement change, then you’re going to have to go up a few gears to ensure you’re ready for the switch 28th May this year. So what should you do?
Twelve point plan for being ready for GDPR
- Raise awareness of the changes and their impact
All personnel need to be made aware of the changes and ongoing impact of GDPR. Key personnel will need to then be tasked with identifying areas where compliance may be a problem. Resolving these issues can take time and resource, so leaving this to the last minute is simply not an option.
- Identify what information you hold
If you don’t already know what information you hold, you’re going to need to carry out an audit as soon as possible. Assess:
- What personal data is stored?
- Where did it come from?
- Who do you share it with?
Under GDPR you’re going to need to keep records of how you process data ongoing. Here is an example of how this could impact you: Imagine you hold incorrect contact information on an individual, and have shared that information with a third party. You’re going to need to be able to illustrate that you have a) identified the inaccuracy, b) corrected the inaccuracy, and c) told the organisation you shared the data with about the inaccuracy.
- Review your privacy policies and notifications
Assess if they need amending in the light of GDPR, because it will be more than just about telling people who you are and how you intend to use their data. You’ll need to explain what your lawful basis is for processing their information, how long you intend to store it for, and that they can complain to the ICO if they don’t believe you’re handling their data correctly.
- Make sure you’re adhering to individuals’ rights
In a nutshell, individuals will have the following rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right not to be subject to automated decision making and profiling
That’s quite a list, eh? Many are already in place under the Data Protection Act, but there are enhancements you need to watch out for. Now is most definitely the time to get to grips with these enhancements and implement the changes required within your organisation.
- Prepare procedures for how you will handle requests
This could have significant logistical implications if your business handles a lot of requests regularly, so it needs to be catered for now, not in May. This may require additional manpower, additional systems and applications, or a complete rethink as to how you process data. Failure to handle these requests in the right way, though, will likely result in a fine, so it will pay to put the effort in up front.
- Assess what your lawful basis for processing personal data is
Once this is clear to you, it needs to be documented and your privacy notices etc. updated. The thing is, GDPR is significantly strengthening an individual’s rights, so a review of what you think your lawful basis is, is critical. By documenting this all now, you will improve your ability to meet accountability requirements.
- Review how you obtain consent
There is detailed guidance from the ICO on the methods that will be acceptable for obtaining consent. Check them out now to ensure that the changes you are making in your organisation can work with the consent requirements. In essence, consent must be given freely, for a specific purpose, through informing the individual in an unambiguous way. And it HAS to be a positive opt-in, with clear ways to withdraw consent. With the clock ticking, note that you may also need to go and get consent from everyone again…
- Be aware that special protection for children is being introduced
This is particularly with respect to commercial internet services. Lawful processing of children’s data is changing quite a lot, so if you already hold, or plan to hold, children’s data… get up to speed on this as quickly as possible.
- Assess how you will detect breaches
It won’t be enough to just rely on someone reporting a breach from outside your organisation, you’re going to need to be able to demonstrate that you are actively checking for breaches internally too. Where a breach is likely to result in a high risk to the rights and freedoms of an individual, that will need to be reported to the ICO as well as the individuals concerned.
- Adopt a DPIA (Data Protection Impact Assessment) approach
One of the key tenets of GDPR is privacy by design. DPIAs will, therefore, be mandatory in many instances. So gen up on these and get your entire workforce familiar with how they are used.
- Designate a Data Protection Officer
Certain bodies have to formally designate a compliance officer. But even if your business isn’t specifically required to do that, someone should still be responsible for compliance.
- Decide where your lead authority is if you operate internationally
This only applies if you operate out of more than one EU member state and carry out cross-border processing. To decide upon your lead data protection supervisory authority you need to assess which operation makes the most significant decisions about its processing activities.
Time waits for no one…
And so, as you can see, if you haven’t yet started working on compliance for GDPR you have your work cut out for you. But get going on it you must. GDPR isn’t optional and it’s not going to be in your favour if you fail to hit the deadline. There will be significantly more emphasis placed on accountability… don’t be caught short.
If you’d like to find out more about how we can help you get there, then please give us a call.