Since the General Data Protection Regulation (GDPR) was formally approved earlier this year, UK organisations have been under pressure to put controls in place to improve data protection.
The GDPR will be the biggest adjustment that organisations handling the personal information of EU residents will have to make; it is thought to affect millions of businesses worldwide – not just in the EU.
What the GDPR stipulates
The GDPR introduces a number of key changes for organisations. In short:
- The definition of personal data is now broader, bringing more data into the regulated perimeter.
- Parental (or equivalent) consent will be necessary to process children’s data.
- The rules for obtaining valid consent for collecting data have changed; clear and affirmative consent to the processing of private data must be provided.
- The appointment of a data protection officer (DPO) will be mandatory for certain organisations.
- Data protection impact assessments will be mandatory under certain conditions.
- Data controllers have 72 hours to report a data breach.
- Data subjects have the “right to be forgotten”.
To read more about the key changes that will be introduced by the Regulation, read our overview here >>
Implementing the GDPR and achieving compliance
Set up a compliance framework – As a first step, we’d recommend putting in place a compliance framework that ensures you implement appropriate technical and organisational measures aligned with the GDPR. A ‘compliance framework’ is a structured set of guidelines and practices that bring together the regulatory compliance requirements that apply to an organisation, and the business processes, policies and controls that are necessary in order to meet these requirements.
Within this, you’ll need to define your scope, and to ensure that the GDPR is on the radar for all directors and on the agendas of all board meetings.
Set your objectives – Your primary objective will be to comply with the GDPR, but other objectives might include identifying efficiencies within the new legal regime and securing data protection throughout your supply chain.
Get to grips with key processes – Your framework should have a number of key processes, including incident management, change management, corrective action, risk management and continual improvement.
Ensure your project runs as business as usual – For your GDPR project to be successful, you’ll need to establish how it integrates with your framework. Who is responsible and accountable for each process? Who needs oversight? What sort of training is necessary? These sorts of questions, in conjunction with the requirements of the GDPR, will inform how you build out the framework from the core requirements.
GDPR: An implementation guide
Excerpts from this blog post were taken from EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide. This best-selling manual provides essential implementation guidance on the GDPR, covering:
- the GDPR in terms you can understand;
- how to set out the obligations of data controllers and processors;
- what to do with international data transfers;
- understanding data subjects’ rights and consent;
- and much more.
For more advice and guidance on implementing the GDPR, take a look at our other resources: