10 steps to GDPR compliance: How prepared are you?

The EU General Data Protection Regulation (GDPR) takes effect in less than eight months, so now is a good time to review the steps you’ve taken to achieve compliance and what you still need to do.

You can base that review on the Data Protection Commissioner’s (DPC) compliance checklist, which is summarised here and outlines what organisations need to do before the 25 May 2018 deadline.

1. Learn about what’s coming

If you’re reading this, you’re probably familiar with the GDPR. But according to our GDPR Report, published in July 2017, only 66% of senior management have been briefed on the Regulation.

Senior management will have a big say on how their organisation prepares for the Regulation, so it’s paramount that they know what’s coming, what they need to do and the risks of failing to comply. Everyone else in the organisation responsible for regulatory compliance and data processing will also need to understand their obligations.

2. Become accountable

The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:

  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties, and on what basis might you do so?

3.  Review personal privacy rights

Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:

  • The right to be informed
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to access

Most of these rights are similar to those in current data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.

4. Communicate with staff and service users

You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.

5. Learn about legal grounds

Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.

There are five other lawful grounds for processing data:

  • A contract with the individual
  • Compliance with a legal obligation
  • Vital interests
  • A public task
  • Legitimate interests

Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.

6. Change your consent requests

There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests.

7. Research child consent policies

The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.

For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.

Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.

8. Appoint a data protection officer

The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.

Although only certain organisations need to appoint a DPO, the Article 29 Working Party recommends that all organisations appoint one as a matter of good practice.

9. Plan for data breaches

One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.

10. Adopt a privacy-by-design approach

Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a data protection impact assessment (DPIA) before undertaking new projects or initiatives.

DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.

Get help preparing for the GDPR

If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments and data protection by design.

We are running our First Steps to GDPR compliance webinar a number of times over the next few months. The presentation explains the basics of the Regulation and what you need to do before the compliance deadline.

Find out more about out GDPR webinar series >>

7 Comments

  1. John Martin 9th January 2018
  2. maggie 13th March 2018
    • Niall McCreanor 30th April 2018
  3. Shah Ahmad Yusof 30th April 2018
  4. Dominic Randall 1st May 2018
    • Luke Irwin 9th May 2018
  5. lilly 7th August 2018

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.