The EU General Data Protection Regulation (GDPR) takes effect in less than eight months, so now is a good time to review the steps you’ve taken to achieve compliance and what you still need to do.
You can base that review on the Data Protection Commissioner’s (DPC) compliance checklist, which is summarised here and outlines what organisations need to do before the 25 May 2018 deadline.
1. Learn about what’s coming
If you’re reading this, you’re probably familiar with the GDPR. But according to our GDPR Report, published in July 2017, only 66% of senior management have been briefed on the Regulation.
Senior management will have a big say on how their organisation prepares for the Regulation, so it’s paramount that they know what’s coming, what they need to do and the risks of failing to comply. Everyone else in the organisation responsible for regulatory compliance and data processing will also need to understand their obligations.
2. Become accountable
The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
3. Review personal privacy rights
Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
Most of these rights are similar to those in current data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.
4. Communicate with staff and service users
You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.
5. Learn about legal grounds
Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.
There are five other lawful grounds for processing data:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.
6. Change your consent requests
There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests.
7. Research child consent policies
The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.
For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.
Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.
8. Appoint a data protection officer
The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.
9. Plan for data breaches
One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.
10. Adopt a privacy-by-design approach
Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a data protection impact assessment (DPIA) before undertaking new projects or initiatives.
DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.
Get help preparing for the GDPR
If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments and data protection by design.
We are running our First Steps to GDPR compliance webinar a number of times over the next few months. The presentation explains the basics of the Regulation and what you need to do before the compliance deadline.