The top level checklist, to either get you started, or to check back if you’re already on the road, is key:
Raise awareness across all aspects of your business involving staff from all relevant departments. GDPR will apply to all companies doing business in the EU, so make sure overseas colleagues are involved and up to speed.
2. STAY ACCOUNTABLE
Accountability is a key driver of GDPR. So start by documenting what personal data you hold and identify areas of risk. Make certain you understand where the data comes from and whom you share it with. Consider running an information audit.
3. MAKE SURE YOU’RE LEGAL
The GDPR Introduces the Six Privacy Principles as the pillars of the legislation.
Principle 1 is the key … and states that PII must be processed Lawfully , Fairly and Transparently.
The lawfulness of the processing will be dependent on the business . Organisations require a legal basis to process personal data under the GDPR. There are six offers, six legal bases:
Legal compliance (with another law)
Protecting the vital interests of a person
4. GET THE RIGHT CONSENT
Consent plays a key role in the GDPR, which greatly strengthens existing rules. Under GDPR, consent has to be freely given, specific, informed & unambiguous and requires a positive action from the individual. If you process sensitive personal data, consent will have to be explicit.
GDPR introduces Pseudonymisation for the first time into EU law. Pseudonymisation is a process that data goes through to ensure it is no longer not directly linked to an individual. Personal data that does not have any directly identifying details could also be pseudonymised at the point of collection. For example, a randomised cookie ID that allows a user to be recognised but not directly identified.
6. GET YOUR COMMUNICATIONS SORTED
Transparency is another core element of the GDPR, which requires different levels of detail depending on whether you obtain the data directly from the individual or not. In all cases, your notice has to be concise, easily accessible and written in clear and plain language. It will also have to include the legal basis you use and explain your legitimate interest in processing personal data.
Look carefully at the privacy notices you currently use and analyse what needs changing.
7. MAKE SURE YOU UNDERSTAND THE RIGHTS THAT GDPR AFFORDS INVIDUALS.
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to automated decision making, including profiling
Check your processes to ensure that you can adequately respond to any requests you might receive from individuals.
8. Data controllers & data processors
GDPR maintains the notions of ‘data controller’ and ‘data processor’ found in current data protection law. Data Controllers are organisations that use data. Data Processors act on behalf of the data controller. Under current rules only the controller is held liable for data protection compliance, but GDPR extends statutory obligations to data processors.
Given that, both controllers and processors will have obligations under GDPR, Think carefully about your precise role. Start working on contracts with partners and review those that are already in place to ensure they are in line with GDPR requirements.
9. DATA BREACHES
Put in place processes that allow you to detect, report and investigate a breach. Identify those types of data that may trigger the notification requirement.
10. Privacy by Design & Privacy Impact Assessments
Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA) play a significant role in the new rules. Under GPDR it will be a legal requirement for you to run a PIA in high-risk situations.
Carrying out a PIA before implementation, can help you assess how to incorporate these two principles into any new products or services you want to bring to market.
11. Data Protection Officers
One of the criteria needed to decide whether you need to designate a Data Protection Officer (DPO) is where ‘the core activities of the controller or the processor consist of processing operations … which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring … of data subjects on a large scale’.
If this applies to your company, then you must appoint someone with the responsibility for your own GDPR Compliance. You will also have to think where in the business structure and governance, this person will fit in.
12. INTERNATIONAL IMPLICATIONS
If you operate in a number of European countries, you need to identify which Data Protection Authority will be your “lead authority”.
You should also think about your options for transferring data to countries outside the EU.
GDPR Academy is dedicated to GDPR and Cyber Security. These go hand-in-hand so you are up-to-date, day-by-day on the latest developments, white papers, laws and timings et al.
GDPR Academy is the only place you’ll find a comprehensive body of knowledge, resources and experts to help you navigate the complex landscape of tomorrow’s GDPR and Cyber Security issues.