The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Below we list some useful facts about its most important terms, how it might affect you and how to start preparing.
1. Analyse what personal data you use
Consider what data processing you undertake?
Do you rely on data subject consent or can you show that you have a legitimate interest in processing that data?
2. Prepare for data security breaches
Put in place clear policies and procedures to enable you to react quickly to any data breach and notify in time where required.
3. Establish a framework for accountability
Do you need a data protection officer? Do you need to carry out data privacy impact assessments (DPIAs). Consider these questions and ensure that you have clear policies in place to prove that you meet the required standards.
Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards.
Put in place a data protection policy. It’s essential that staff know how to process data lawfully and who to approach if they have any questions. A data protection policy should cover both of these elements.
4. Train your staff
Make your staff aware of the GDPR, the obligations it imposes on your handling of personal data and the penalties for breach. Develop internal training materials and a training programme. Ensure any staff who either collect OR process data are aware of the legal requirements for use of that data.
5. Embrace privacy by design
Ensure that privacy is embedded into any new processing or product that is deployed. This needs to be thought about early in the process to enable a structured assessment and systematic checks.
6. Check your privacy notices and policies
The GDPR requires that information provided should be in clear and plain language. Your policies should be transparent and easily accessible.
7. Consider the rights of data subjects
Data subjects now have rights such as:
right to data portability;
the right to be forgotten;
Have processes in place to allow them to exercise such rights and ensure you have an audit trail of any of these actions.
8. If you store personal data, consider the legitimate grounds for its retention
Request as little data as possible: Data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. You’ll typically need individuals’ names and contact information at the very least, but you must decide what other information, if any, is necessary for the task at hand and retain the minimum possible data.
It will be your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects. You may also face individuals who have unrealistic expectations of their rights.
9. If you are a supplier to others, consider whether you have new obligations as a processor
The GDPR imposes some direct obligations on processors which you will need to understand and build into your policies, procedures and contracts.
You are also likely to find that your customers will wish to ensure that your services are compatible with the enhanced requirements of the Regulation.
Create a record of all third parties who are processing personal data.
Consider whether your existing contractual arrangement are adequate.
10. Cross-border data transfers/Data
transfers outside the EU
Ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.