One of your New Year resolutions should be to put GDPR compliance at the top of your ‘to do’ list. In a little over four months, on 25 May, it will be in force in the UK and across the EU.
New obligations, greater accountability and heftier fines mean businesses should be taking steps now to make sure they can comply with the GDPR when it comes into force. Here we offer ten key steps to take right now.
- Assemble your GDPR team
Create a team (e.g. from IT, finance, risk and marketing) who will be responsible for GDPR strategy and implementation – GDPR is not just a legal and compliance issue. The potential financial and reputational risks for the company mean senior colleagues should be alive to the issues – you will need their support to give weight to implementation of your GDPR strategy throughout the business.
- Consider appointing a Data Protection Officer (DPO)
Appointment of a DPO is mandatory for public authorities and private organisations whose core activities require regular and systematic monitoring of data subjects on a large scale or which carry out large scale processing of sensitive personal data or criminal convictions.
Even if this does not apply to you, identifying an individual who has responsibility for GDPR compliance can be helpful for implementing new policies and practices, monitoring compliance and reporting data breaches quickly and efficiently.
- Audit your data
Use your team’s operational knowledge to assess what data you hold and how that data flows within (and outside) your organisation.
Consider how data is collected – online or via a call centre? Where is it stored (on servers on site or with third party providers)? Who has access to it and how is that access managed? If the data crosses borders, data controllers need to ensure the destination country has adequate regulation.
- Review policies and contracts
You should gather together existing data protection policies, privacy notices, terms and conditions and any other documentation (e.g. call centre scripts) which your business uses when you first collect personal data. These should be reviewed and, where necessary, updated for GDPR compliance.
- Review relationships with data processors
You should review any existing arrangements with third parties who process data on your behalf and make sure any new contracts you negotiate comply with the new rules on data processing agreements.
- Assess processes for data breach notification
Data breach reporting is one of the key GDPR changes – organisations will have to notify the Information Commissioner’s Office (ICO) of any breach “without undue delay” and in any event within 72 hours. Review your systems – will they tell you automatically when issues occur? Will your staff know what to do and who to contact if they become aware of a data breach?
- Review processes for complying with individuals’ rights
A major feature of the GDPR is enhanced rights for individuals in respect of their personal data. Organisations will have a shorter time – one month – to comply with access requests and will no longer have the right to charge a fee. People will have the right to have their information corrected or erased, to move it around, to restrict how it is processed and to avoid data “profiling”.
The breach of data subjects’ rights attracts large fines – up to €20m or four per cent of total worldwide annual turnover (whichever is higher).
- Data Protection Impact Assessments (DPIAs)
Data protection will need to be built into new projects involving data processing and risks mitigated. DPIAs are mandatory for high risk processing and, in other cases, will be a good way to demonstrate compliance. Where the DPIA indicates a high level of risk which you cannot mitigate, you will need to consult with the ICO.
- International transfers
Within the EU. If you operate in more than one EU member state, you will need to determine and document your lead data protection supervisory authority – this will depend on where you make the most significant decisions about processing. If this is the UK, your lead supervisory authority will be the ICO.
Outside the EU. Transfer of personal data outside the EU is only permitted where the organisation receiving the personal data has provided adequate safeguards. These include legally binding agreements and, between organisations in the same corporate group, binding corporate rules. Review your arrangements to meet the new requirements.
- Train your workforce
Work with your core team to spread the message about changes under GDPR – current staff should be trained long before 25 May. New starters will also need updated training materials with regular refresher training for all.