10 Steps to get GDPR ready
In May 2018 the General Data Protection Regulation (GDPR) will come into force, increasing the regulations surrounding the collection and processing of personal data. The GDPR will also greatly increase the potential sanctions for non-compliance. Here are ten top tips to help you prepare for GDPR compliance:
One – Awareness
Ensure key people in your business – across IT, personnel, operations, marketing and elsewhere – are aware of GDPR and the impact that this will have on your business.
Two – Review Information
Undertake an “information audit” to document the personal information that you hold, including how it was collected and with whom it is shared.
Three – Update Privacy Policies
You will need to update and enhance your written privacy policies and notices. For example, you now need to identify in those notices the basis on which you process personal data, and any data retention periods.
Four – New Rights and Subject Access Requests
Individuals have new and enhanced rights in respect of their data. You should ensure that you have systems in place that allow you to swiftly locate all personal data you hold, so that you can respond to detailed subject access requests within the new (shorter) timescales, and if necessary to delete that data.
Five – Lawful Basis of Processing and Consent
You need to consider, and identify in your data protection documentation, the lawful basis upon which you process all personal data. To do this you will need to identify the personal data you hold and what you do with it. New GDPR standards will make it harder to rely on the data subject’s “consent” to processing – for example in respect of your marketing activity. You should review how any consents were previously obtained and, if necessary, consider refreshing them or relying on another lawful basis of processing.
Six – Children
There are increased restrictions on the processing of children’s personal data, which may require systems to verify an individual’s age and to obtain a parent’s consent to processing.
Seven – Data Breaches
In the event of a data breach you may need to notify the data subject(s) concerned, and notify your supervisory data protection authority within very short timescales. Policies and procedures will need to be in place to ensure you can do this.
Eight – Data Protection Impact Assessments
Be aware that Data Protection Impact Assessments may be required for new projects where data processing is likely to result in a high risk to individuals.
Nine – Data Protection Officer (DPO)
Some organisations – generally public authorities or very large scale data processors – will need to appoint a DPO. All organisations should designate someone to take responsibility for data protection compliance.
Ten – International Requirements
If your business operates in more than one EU country, you should identify your lead data protection supervisory authority – which in the UK is the Information Commissioner’s Office
James Sarjantson has dealt with Data Protection matters on behalf of clients for many years and is able to provide practical and commercial solutions to issues raised by the General Data Protection Regulations [GDPR], and to advise on the steps that businesses can take themselves to move towards compliance.
Further advice please contact James Sarjantson on 0113 201 0401 or