GDPR can be quite intimidating if you are not fully aware of what your organisation needs to do to comply and the impact this will have on your business.
Businesses that handle information of residents of the UK and EU need to act to ensure they are compliant with one of the new regulations or leave themselves open to hefty fines from the Information Commissioner’s Office (ICO)
To give businesses a nudge in the right direction the ICO has outlined 12 Steps To Take Now which will help your business understand the steps required for compliance.
Step 1 – Awareness
The first step is understandably awareness, making sure that decision makers and key personnel within the business know what the legislation is and the impact it is going to have.
Step 2 – Information You Hold
The next step is to map out the personal data you hold, where it came from and who it is shared with.
It may be prudent to hold an information audit to clearly map all of this data.
Step 3 – Communicating Privacy Information
You should review the privacy statements and notices and plan for any required changes prior to the implementation date.
Step 4 – Individual's Rights
Check your procedures to ensure they cover all the rights individuals have.
Particularly those surrounding the right to have personal data deleted or provided digitally.
Step 5 – Subject Access Requests
Update your data access procedures and plan how to handle requests within the new GDPR timescales.
Step 6 – Lawful basis for processing personal data
You should identify the lawful basis for your GPDR compliant processing activity, document it and update your privacy notice to explain it.
Step 7 – Consent
Review how you seek, record and manage the way people consent to you storing their data. Update existing consents that do not meet the GDPR standard.
Step 8 – Children
Review whether your business requires age verification or parental/guardian consent for any data processing.
Step 9 – Data Breaches
What would you do if there is a data breach? This step involves making sure you have the right procedures in place to detect, report and investigate personal data breaches.
Step 10 – Data Protection By Design and Data Protection Impact Assesments
Get comfortable with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 working party.
Step 11 – Data Protection Officers
It is important that you designate someone to take responsibility for data protection compliance within your organisation. You should consider whether you are required to formally designate a Data Protection Office (DPO).
Step 12 – International
If you operate in more than one country you should determine the lead data protection supervisory authority.