The materials contained in this web site are provided for general information purposes only and do not constitute legal or other professional advice. Neither Marilou Pavlou Christodoulides LLC nor any of its partners or employees accept any responsibility for any loss which may arise from reliance on information contained in this site. Permission is given for the downloading and temporary storage of one or more of these pages for the purpose of viewing on a personal computer or monitor. The reproduction, permanent storage, or retransmission of the contents of this web site is prohibited without the prior written consent of Marilou Pavlou Christodoulides LLC. Certain parts of this site link to external internet sites, and other external internet sites may link to this web site. Marilou Pavlou Christodoulides LLC is not responsible for the content of any external internet sites.

 The host server for this web site is located in Nicosia, Cyprus.

 

©2016 Marilou Pavlou Christodoulides LLC Created by Design Lab

10 THINGS TO DO NOW TO PREPARE FOR THE GDPR

March 28, 2018

 

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Below we list some useful facts about its most important terms, how it might affect you and how to start preparing.

 

1.  Analyse what personal data you use

 

Consider what data processing you undertake?

 

Do you rely on data subject consent or can you show that you have a legitimate interest in processing that data? 

 

2. Prepare for data security breaches 

 

Put in place clear policies and procedures to enable you to react quickly to any data breach and notify in time where required. 

 

3. Establish a framework for accountability 

  • Do you need a data protection officer? Do you need to carry out data privacy impact assessments (DPIAs). Consider these questions and ensure that you have clear policies in place to prove that you meet the required standards. 

  • Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards. 

  • Put in place a data protection policy. It’s essential that staff know how to process data lawfully and who to approach if they have any questions. A data protection policy should cover both of these elements.

 

4. Train your staff 

 

Make your staff aware of the GDPR, the obligations it imposes on your handling of personal data and the penalties for breach. Develop internal training materials and a training programme. Ensure any staff who either collect OR process data are aware of the legal requirements for use of that data.

 

 

5. Embrace privacy by design  

 

Ensure that privacy is embedded into any new processing or product that is deployed. This needs to be thought about early in the process to enable a structured assessment and systematic checks. 

 

 

6. Check your privacy notices and policies 

 

The GDPR requires that information provided should be in clear and plain language. Your policies should be transparent and easily accessible. 

 

 

 

7.  Consider the rights of data subjects 

Data subjects now have rights such as:

 

  • right to data portability;

  • the right to be forgotten;

  • Have processes in place to allow them to exercise such rights and ensure you have an audit trail of any of these actions. 

 

8. If you store personal data, consider the legitimate grounds for its retention

Request as little data as possible: Data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. You’ll typically need individuals’ names and contact information at the very least, but you must decide what other information, if any, is necessary for the task at hand and retain the minimum possible data. 

 

 It will be your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects. You may also face individuals who have unrealistic expectations of their rights. 

 

 

9. If you are a supplier to others, consider whether you have new obligations as a processor  

 

The GDPR imposes some direct obligations on processors which you will need to understand and build into your policies, procedures and contracts. 

You are also likely to find that your customers will wish to ensure that your services are compatible with the enhanced requirements of the Regulation.

Create a record of all third parties who are processing personal data.

Consider whether your existing contractual arrangement are adequate.

 

10. Cross-border data transfers/Data

transfers outside the EU

Ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. 

 

 

Share on Facebook
Share on Twitter
Please reload

Recent Posts

September 12, 2019

Please reload

Archive

Please reload

Follow Us

  • Grey Facebook Icon
  • Grey Twitter Icon
  • Grey LinkedIn Icon