This checklist highlights 10 steps you can take now to prepare for the General Data Protection Regulation (GDPR) which will apply from 25 May 2018.
Although the GDPR doesn’t come into force until May 2018, it can take several months to be compliance ready. You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. It would be useful to start by looking at your organisation’s risks of failing to comply. You may find compliance difficult if you leave your preparations until the last minute.
The information you hold
You should document what personal data you hold, where it came from and who you share it with. You should organise an information audit across the organisation. The GDPR requires you to maintain records of your processing activities. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with.
Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for the GDPR implementation. Currently, when collecting personal data you have to give certain information. Such as, your identity and how you intend to use their information. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain if they think there is a problem with the way you are handling their data.
You should check your procedures to ensure they cover all the rights individuals have. This includes how you would delete personal data or provide data electronically/ in a commonly used format.
The GDPR includes the following rights for individuals:
- to be informed
- have access
- restrict processing
- data portability
- to object
- be subject to automated decision-making including profiling
Following on from the individuals rights, you may want to revise and/or update your procedures. You need to plan how you would handle and requests. For example, if someone asks to have their personal data deleted. Would your systems help you locate and delete the data? Who will make these decisions? In addition, consider if your organisation would be likely to handle a large number of requests. Consider the logistical implications.
You should review how you seek, record and manage consent. As well as, considering if you need to make any changes. For example, refreshing existing consents if they don’t meet the GDPR standard. Consent must be freely given, specific, informed and unambiguous. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of internet services such as social networking. If your organisation offers online services to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Where a breach is likely to result in a high risk to the rights of individuals for example, discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. You will also have to notify those concerned directly.
Data protection officers
You should consider whether your organisation is required to formally designate a Data Protection Office (DPO)
You must designate a DPO if you are:
- a public authority (except for courts acting in their judicial capacity)
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale
- an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
However, it is a good idea for any organisation to designate someone to take responsibility for data protection compliance.
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. The lead authority is the supervisory authority in the state where your main establishment is. (Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented.) This is only relevant if you carry out cross-border processing. i.e. you have establishments in more than one EU member state. Or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.
If this applies to your organisation, you should map out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.