It’s not too late to comply with the GDPR (General Data Protection Regulation). The Regulation might have come into effect last year, but it’s requirements need to be regularly reviewed. As such, it doesn’t matter what your compliance posture was six months or a year ago. All that matters is where you are now.
Many organisations have been delaying their implementation project until they were sure that it would be worth their time. It’s now been almost twelve months since the GDPR came into force and the results are conclusive. More than 206,000 incidents have been reported to supervisory authorities, and organisations are reaping the benefits of compliance.
According to the 2019 Data Privacy Benchmark Study, organisations that have met the majority of the GDPR’s requirements were 15% less likely to be breached than organisations that were more than a year away from compliance. When a breach did occur, the damage was smaller for compliant organisations, with an average of 79,000 affected records compared to 212,000.
Anyone who wants to know where to begin when implementing the GDPR’s requirements should follow our 10-step guide.
1. Learn what the GDPR is
If you’re reading this, you’re probably familiar with the GDPR, but don’t believe everything you’ve read. A lot of misinformation has been spread about the Regulation, so it’s important to do your research.
You might also choose to enrol on a training course to gain a comprehensive understanding of the requirements you need to meet.
2. Become accountable
The Regulation includes provisions that promote accountability, so we recommend that you make an inventory of all the personal data you hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
3. Review personal privacy rights
Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
Most of these rights are similar to those in previous data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.
4. Communicate with staff and service users
You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.
5. Learn about legal grounds
Organisations need to prove that they have a legal ground to process data. Most organisations use consent by default, but the GDPR toughens the rules for getting and keeping consent.
There are five other lawful grounds for processing data:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.
6. Change your consent requests
There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests.
7. Research child consent policies
The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.
For example, the Republic of Ireland, UK and Spain have set the age at 13, Germany and the Netherlands stuck with 16 and Austria opted for 14.
Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.
8. Appoint a data protection officer
The GDPR states that a DPO (data protection officer) should oversee an organisation’s data protection strategies and compliance programme.
9. Plan for data breaches
One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.
10. Adopt a privacy-by-design approach
Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a DPIA (data protection impact assessment) before undertaking new projects or initiatives.
DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.
Want help getting started?
Now that you know what it takes to comply with the GDPR, it’s time to put that knowledge into practice. That means implementing the requirements and documenting your compliance.
That sounds like a big task, but it’s a lot simpler with expert guidance such as our GDPR Starter bundle.
This bundle contains three essential products to help you document your practices, assess your compliance posture and teach employees about their responsibilities under the Regulation.
This blog has been updated to reflect industry changes. Originally published 16 October 2017.