The General Data Protection Regulation (GDPR) is definitely one of 2017s hot topics. With such significant changes just under a year away, we’d recommend getting started auditing and reviewing your internal processes now.
The main thing is - don’t panic, if you’re already complying properly with the current Data Protection Act, most of what you’re doing will remain valid from May 2018. It is essential to review your entire process as there are a number of new elements that are being introduced, as well as some changes and updates to existing guidelines.
To help guide you, we’ve put together a list of six points that you can get started on right now. There will be more revealed between now and 2018, so we will keep you updated along the way:
Step 1: General GDPR awareness
If you’re reading this then you are already aware that you need to be reviewing your data protection process. But, take it one step further and make sure that all relevant people within your company are aware that the law is changing to the GDPR. Time will need to be set aside to see compliance through, if you are short for time (as we all are), start setting aside some time over the next few months to tackle some of the actions within this plan.
Step 2: Privacy Review
Step 3: Information audit
What data do you hold, where did it come from and what do you do with it? You’ll have to answer these questions and provide information on how and where your data is kept. One key update to make your privacy information align with the GDPR will be to explain your lawful basis for processing your data and your data retention periods. Individuals will have the right to complain to the ICO if they think there might be a handling problem. It’s vital to remember that information required will need to be provided in a clear, easy to understand language.
Step 4: Consent review
It’s also a good time to complete a full review of how you seek, record and manage consent. What changes will you need to make in order to comply? Pre-ticked boxes won’t cut it and you have to be absolutely clear at point of data collection. Separate this information from other terms and conditions that you are sharing so consent and privacy is made completely clear. If you rely on individuals’ consent and it isn’t documented, it’s best to recollect so it is GDPR-compliant. Start collecting data so it will be compliant with the upcoming changes, then you will have less data to amend or potentially lose come 25 May 2018.
Step 5: Data protection by design
Familiarise yourself and all relevant employees with the upcoming code of practice and ensure you keep yourself up to date on the Article 29 Working Party (A29WP). Between now and May, there will be a number of updates – so keep your eye on these as they unfold.
Step 6: Appoint a Data Protection Officer
Depending on what industry you’re in, you might need to formally appoint a Data Protection Officer (DPO) to take responsibility for your data protection compliance. If you’re in the public authority; carry out regular or systematic monitoring of individuals on a large scale; or work with health records or criminal conviction records, you must formally designate a DPO. Find out more from the A29WP.
All other companies that handle data should appoint someone within the company who will take responsibility for GDPR compliance.
It can seem a daunting road ahead, but as we mentioned, if you’re already compliant with the Data Protection Act 1998, and you start preparations early you’ll soon be GDPR compliant. Look out for our future GDPR focused content over the coming months to help you prepare your data protection policies for 2018.