The EU General Data Protection Regulation (GDPR) compliance deadline is just one day away, so now is the ideal time to review your compliance steps and look at what else you need to do.
Key GDPR compliance checks:
Responding to subject access requests (SARs)
Under the GDPR you need to respond to a SAR within one month. Organisations need to have procedures in place that allow them to handle SARs in the given timescales.
Staff awareness and training
An organisation cannot claim to be GDPR-compliant if its staff don’t understand the new Regulation. Staff training is key. In the event that your organisation suffers a breach, your employees need to know what to do, e.g. they need to know that the relevant supervisory authority should be notified within 72 hours.
Consent – Have you got it?
The GDPR is built around ensuring organisations have explicit consent to collect and process an individual’s personal data. Organisations need to review how they seek, obtain and record consent, and whether these practices need to made GDPR compliant. The GDPR lists specific requirements for lawful consent requests:
- Consent – The data subject has given clear consent to the processing of their personal data for one or more specific purposes.
- Contract – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject before entering into a contract.
- Legal obligation – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital interests – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public interest – Processing is necessary for the performances of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interest – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
Learn more about the GDPR with our Certified EU GDPR Foundation Training Course
IT Governance’s one-day Certified EU GDPR Foundation course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for EU organisations of any size.
The course is delivered by an experienced data protection practitioner, and is ideal for managers who are already involved in data protection and individuals who want to get started in the field.