Data security is becoming increasingly relevant ahead of the EU General Data Protection Regulations (GDPR), which become effective on 25th May 2018, here are the twelve steps that you need to take to ensure your organisation will be compliant based on guidance provided by the ICO:
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact that this is likely to have.
2. Human resources
HR need to ensure staff receive regular GDPR awareness training and that employment contracts and information security management systems are adjusted accordingly.
3. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
4. Communicating privacy information
You should review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
5. Individual’s rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
6. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
7. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should start thinking now about whether you need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity.
10. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
11. Data protection by design and data protection impact assessments
You should familiarise yourself with the ICO’s code of practice on privacy impact assessments (PIAs) as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation.
12. Data protection officer (DPO)
You need to decide if to appoint a data protection officer to take responsibility for compliance and assess where this role will sit within the organisation structure and governance arrangements. Regardless of whether you need to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
Additionally, 3C Consultants can assist you and your organisation, whether you have started the process or still in the planning stage, with the 3C GDPR Gap Analysis service. This service will provide your organisation with a preliminary assessment of your current level of compliance with the requirements of the GDPR, alongside a resulting report which will include recommendations, a prioritised action plan and pointers to guidance and best practice.