12 steps to GDPR

Napthens - August 17th 2017

We recommend you assess your business under the ICO’s “Preparing for the General Data Protection Regulations (GDPR): 12 steps to take now” summarised and commented on below by employment partner, Kimberley Barrett-St. Vall.

  1. AWARENESS
    You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
  2. INFORMATION YOU HOLD
    You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.  This is likely to be a large task but essential to ensure you adopt a structured approach to getting the organisation GDPR ready.
  3. COMMUNICATING PRIVACY INFORMATION
    You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. INDIVIDUAL’S RIGHTS
    You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a common used format. For employers this will not only include considering your data protection policy, but also other policies within your handbook such as; sickness absence policy, disciplinary policy and email and internet usage policy as well as detailing breach notification procedures.
  5. SUBJECT ACCESS REQUESTS
    You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
  6. LEGAL BASIS FOR PROCESSING PERSONAL DATA
    You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.  This may take some time, but is an important stage of the process.
  7. CONSENT
    You should review how you are seeking, obtaining and recording consent and whether you need to make any changes; or indeed consider whether this is the safest basis upon which you are processing data.
  8. CHILDREN
    You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
  9. DATA BREACHES
    You should make sure you have the right procedures in place to detect report and investigate a personal data breach.
  10. DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
    You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
  11. DATA PROTECTION OFFICERS
    You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
  12. INTERNATIONAL
    If your organisation operates internationally, you should determine which data protection supervisory authority you come under.