How do I prepare for GDPR?

What are the steps to prepare for GDPR?

Step 1 – Build Awareness of senior management

Ensure that the senior management teams are aware of GDPR and the likely impact on your organisation to guarantee internal buy-in.

Step 2 – Data status check and documentation

Check your current data status and document:

• What personal data do you already hold?

• Where did it come from and who have you shared it with?

• Where are your vulnerabilities and where can you be held liable?

• Where your data currently lives and classify this information.

• How long this data is stored in your systems and when it can be deleted?

Step 3 – Privacy notices

Review your current privacy notices:

• What updates are needed?

• Embed privacy by design and default into all projects – don’t collect more personal data than you need, use anonymisation, pseudonymisation and encryption.

Step 4 – Data subjects’ rights

Check your current procedures to ensure you are able to deliver on all data subjects’ rights. The right to:

• Be forgotten; be informed; have data deleted; a copy of their personal data (within a month, free of charge);

• Right to data portability – data electronically in a commonly used format;

• Right to prevent automated decisions and profiling;

• Right to object.

Step 5 – Data subjects’ consent

Assess how you are seeking, obtaining and recording consent:

• Are your records accurate, up to date and secure?

• Do you have distinct, explicit consent for processing all personal data?

• Do you need consent from a person holding parental responsibility? (children can give their own consent at 16, although it can be lowered at 13 for UK).

Step 6 – Data breaches management

Ensure you have appropriate procedures in place to detect, report and investigate any data breaches.

Step 7 – Data Protection by Design and Data Protection Impact Assessments

Familiarise yourself with DPIAs (Data Protection Impact Assessments) and work out when and how to implement these in your organisation (note: exemptions exist for small businesses and small-scale data usage).

• Determine whether you need to appoint/contract a DPO (Data Protection Officer) who will be responsible for data protection compliance, acting independently and reporting to the highest levels of management.

• Make sure your contracts for all third parties contain the new provisions.

Step 8 – Data Protection Officer

A DPO (Data Protection Officer) is a person – either an employee or an external consultant – who has formal responsibility for data protection compliance within a business. A DPO must be appointed if any of these conditions are met:

• The relevant data processing activities are carried out by a public authority or body (where the definition of “public authority or body” is determined by each EU Member State);

• The core activities of the relevant business involve regular and systematic monitoring of individual, on a large scale; or

• The core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.

If the DPO is within you organization, as an employer you must:

• Provide necessary resources to carry out his/her tasks and maintain his/her expert knowledge;

• Provide access to personal data and processing operations;

• Ensures he/she is involved in all issues relating to the protection of personal data;

• Make his/her contact details available to the public and the supervisory authority.

Step 9 – Third Party Solution providers

More information on GDPR and Third Party Solution providers.

Step 10 – Awareness of staff

Inform and educate your employees and personnel on the collection and treatment of all customers data.