How to prepare for the GDPR – 12 steps from the ICO
Now that the GDPR is in final form and set for implementation on 25 May 2018, the ICO has issued updated guidance on the 12 steps to GDPR compliance. This update reviews the ICO’s updated guidance, highlights any changes and reminds you of the steps your business should be taking now to ensure compliance before 25 May 2018.
- Awareness – organisations should be acting now to ensure they are GDPR compliant by 25 May 2018. There is less than one year to go and implementation of the GDPR within an organisation could involve significant resources and planning – it’s never too early to be prepared!!
- Information you hold – the GDPR requires organisations to maintain records of all processing activities and the legal bases for processing such data. It is important for organisations to review the data you have, where this came from, how long you have had it and the legal basis for processing.
- Communicating privacy information – organisations should review their privacy notices and put a plan in place to make the necessary amendments to ensure GDPR compliance. The ICO has developed a code of practice for Privacy notices which organisations can use to ensure GDPR compliance.
- Individuals rights – The ICO has updated the 12 steps to reflect the additional rights individuals will have under the GDPR:
- right to be informed;
- right of access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to data portability;
- right to object; and
- right not to be subject to automated decision making and profiling.
The right to data portability is new and only applies to personal data an individual has provided to a controller where the processing was based on consent or performance of a contract and processing is carried out by automated means. You will need to provide information in a commonly used machine readable form, free of charge.
- Subject access requests – organisations should update policies and procedures in place to deal with subject access requests to ensure you can comply within the new one month deadline.
- Lawful basis for processing personal data – organisations must review the legal bases used for processing personal data to ensure this is still relevant and will be GDPR compliant.
- Consent – Where your organisation relies on consent, you should read the ICO guidance, as this legal basis is undergoing the most change under GDPR.
- Children – under the GDPR, for the first time, children’s personal data will be specially protected where organisations are offering information society services directly to children. Organisations should ensure they have processes and mechanisms in place to verify the age of users and seek parental consent for children under 13 (in the UK).
- Data breaches – in certain circumstances organisations will only have 72 hours from discovery of a breach to notify the relevant data protection authority of the breach. Organisations will also have the obligation, in certain circumstances, to notify data subjects directly if the data breach is likely to result in high risk to their personal data.
- Data protection by design and data protection impact assessments – PIA’s will be required where processing is likely to result in high risk to individuals, e.g. where rolling out new technology, where profiling occurs or where processing is conducted on a large scale. The ICO and the Article 29 Working Party have released guidance on this issue.
- Data Protection Officers (DPO’s) – organisations should evaluate whether they require to appoint a DPO under the GDPR. If you would like more information on this, please read our blog or read the Article 29 Working Party guidance.
- International – where your organisation operates in more than one member state, you should identify the lead supervisory authority. For more information, please see the Article 29 Working Party guidance.
If your organisation has not thought of the 12 steps detailed above, you should start preparing now!
With less than a year to go, your organisation should be assessing and reviewing the above areas to ensure GDPR compliance by the 25 May 2018!