Trying to get to grips with what GDPR looks like for your organisation in 2018? With so much information out there, it’s hard to decipher the key messages and ensure you’re fully under the skin of GDPR compliance.
So what does GDPR even mean? GDPR stands for General Data Protection Regulation. Τhe regulation was adopted by the European Parliament in 2016 and will enter into force on 25 May 2018. The legislation introduces new rights for individuals and requires far greater data protection obligations from organisations.
Searching for a GDPR summary?
GDPR introduces a new set of rights. It’s important to prepare for each of these to ensure you’re GDPR compliant. You might hear these described as the eight principles of Data Protection and GDPR. In summary, these include:
- the requirement to give express consent in certain circumstances
- the right to withdraw consent
- the right to be informed - all organisations must be transparent in how they are using personal data
- the right to data portability - this allows individuals to retain and reuse their personal data for their own purpose
- the right to object - in some circumstances, individuals are entitled to object to their personal data being used
- rights in relation to automated decision making and profiling - safeguards to protect against the risk that a potentially damaging decision is made without human intervention
- the right to rectification of incorrect or incomplete data – giving individuals the right to rectify personal data
- the right to erasure - often referred to the right to be forgotten
Preparing for GDPR in 2018
Understanding how to be GDPR compliant is critical. Each and every organisation is different, with unique data processes. A two-pronged approach is typically recommended. Firstly, a GDPR project group should be created to identify where change needs to take place. Secondly, with the GDPR fines set to top €20 million or 4% of annual turnover, it’s always recommended that organisations seek expert legal advice.
11 steps to help you prepare and be GDPR compliant
As mentioned earlier, it’s likely that you will need to set up a GDPR project group. But where do you start? We propose you a GDPR action plan to help point you in the right direction. As already covered, obtaining legal advice is also always recommended to ensure your organisation is fully compliant.
1. Awareness – make sure key decision makers are aware that the law is changing and consider where workforce training may be required
2. Information you hold – conduct a thorough audit and document all the personal data you hold.
3. Communicating privacy information – ensure you review your current privacy plans and update where required
4. Individuals’ right – check all your processes and procedures to ensure they are GDPR compliant
5. Subject access requests – identify how to update processes so you can handle requests within the new timescales
6. Lawful basis for processing personal data – identify the lawful basis for processing data (and ensure your privacy notice is updated to reflect this)
7. Consent - conduct an audit to identify how you seek, record and manage data. You may need to refresh consents to meet the new GDPR standards.
8. Children – check whether you need to put processes in place to verify ages and/or secure consent from a parent or guardian
9. Data breaches – ensure robust procedures are in place to detect, report and investigate a personal data breach
10. Data Protection Officers – identify and/or appoint someone to take responsibility for data protection compliance
11. International - if your organisation operates in more than one EU member state you need to determine your lead data protection supervisory authority.