Exactly one year before the introduction of the General Data Protection Regulation (GDPR), the data protection regulator has warned firms of all types and sizes of the need to ensure they are ready for its implementation on May 25 2018.
Information Commissioner Elizabeth Denham commented:
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
The Information Commissioner’s Office (ICO) has issued a guide called ’12 steps to take now’ regarding the new European Union Regulation. These 12 steps are:
1. Awareness – senior management and other key individuals within firms need to be aware that the GDPR is coming into force, and understand what impact this is likely to have
2. Information you hold – firms are advised to document what personal data they hold, together with details of where it was obtained from and who it might be shared with. The ICO suggests that firms may need to carry out a comprehensive information audit in order to ascertain this
3. Communicating privacy information – firms should review the privacy notices they use, and consider whether any changes need to be made
4. Individuals’ rights – firms should ensure that their data protection procedures cover all the rights individuals have under data protection law. The ICO specifically highlights the issue of how firms would delete personal data, or provide data electronically
5. Subject access requests – firms should ensure they can comply with these requests within one month under the GDPR, as opposed to the 40 days they are currently allowed under UK law
6. Lawful basis for processing personal data – firms should consider what the ‘lawful basis’ is that allows them to process data, and ensure this is explained in their privacy notice. A lawful basis for processing data might be that processing is necessary in relation to a contract which an individual has entered into
7. Consent – firms should review how they obtain consent from individuals, how they record this and how they manage the overall consent process; and consider whether any changes are required
8. Children – firms should consider whether they need systems in place to verify individuals’ ages and to obtain parental or guardian consent for any processing of their personal data that may be necessary
9. Data breaches – firms must have procedures to identify, report and investigate all data breaches that may occur
10. Data Protection by Design and Data Protection Impact Assessments – firms should ensure they are familiar with the ICO’s code of practice on Privacy Impact Assessments (PIAs). The ICO defines a PIA as “a process which assists organisations in identifying and minimising the privacy risks of new projects or policies”
11. Data Protection Officers – firms must ensure they are aware of whether they will need to appoint a Data Protection Officer. Someone needs to be appointed to carry out this role in public authorities; organisations that regularly monitor individuals on a large scale; and organisations that carry out large scale processing of sensitive data, such as health records or information about criminal convictions
12. International – any firm operating in more than one EU member state must ensure they are aware of which national regulator will be their ‘lead data protection supervisory authority’ – this will usually be the national regulator of the state where their head office is based
More on the ’12 steps’ can be found in this ICO guide.
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.