The Information Commissioner’s Office (ICO) has released a 12-step plan for companies to start preparing for the impending EU General Data Protection Regulation (GDPR).
Now that the final text of the Regulation has been released, experts believe that there won’t be a clear changeover from the old legislation to the new.
In fact, organisations may begin to feel the impact and may have to respond to the GDPR almost immediately. Some EU member parliaments are already introducing legislation in support of the GDPR provisions. Organisations should not wait to begin assessing their data privacy risk and exposure, and should begin to align their governance and response strategies now.
It is important for organisations to begin to determine the risks that must be managed, get an understanding of the data they have, establish exactly what needs to be protected and take the necessary measures to secure it before the GDPR comes into law in 2018.
The ICO proposes the following actions:
- Launch a staff awareness programme
Staff must be made aware of the changing laws and the potential impact that a data breach may have under the new regulation.
- Audit the information you hold
Organisations should have a clear idea of the personal data being held, where it originated from, and who it can be shared with. An information audit is a key part of a data protection compliance regime. Contact IT Governance now for assistance with your EU GDPR audit >>
- Review and update privacy information
Organisations should review their privacy notices and develop a plan that makes it clear how they gather and share personal data in accordance with the EU GDPR.
- Consider individuals’ rights
It is essential to ensure that procedures take into consideration of individuals’ right to be forgotten and that organisations are able to respond to requests for personal data records, which will need to be provided in a commonly used format.
- Update subject access requests procedures
The ICO advises that organisations update their procedures to be able to handle data requests according to new timescales and provide additional information as required.
- Establish the legal basis for processing data
Organisations should analyse the reasons for processing any personal data, and confirm and document that there are solid legal grounds for doing so.
- Review consent mechanisms
Organisations should review and update the ways they seek, obtain and record consent for processing personal data.
- Update procedures for processing data about children
Organisations should start implementing systems to verify individuals’ ages and to seek parental or guardian consent for any child data processing.
- Implement data breach procedures
Organisations should implement procedures that will enable them to detect, adequately respond to and investigate a personal data breach according to the requirements of the Regulation.
- Incorporate data protection by design and privacy impact assessments
Organisations should ensure they are implementing privacy impact assessments where required, in line with the EU GDPR requirements. Undertake privacy impact assessments training now >>
- Appoint a data protection officer
Organisations should appoint a data protection officer where needed, according to the compliance requirements of the EU GDPR.
- Determine the data protection authority for international organisations
For international operations, organisations should determine which data protection supervisory authority they are required to report to.
Contact IT Governance on firstname.lastname@example.org or call us on +44 (0)845 070 1750 to initiate your EU GDPR compliance journey today.
The full ICO guidelines can be found here.