Although the 25 May 2018 deadline has passed, this is not the end of the compliance journey for organisations. Initial preparation was made easier for businesses by the introduction of a 12-step checklist by the Information Commissioner’s Office (the ICO), which highlights and codifies the essential steps for businesses to take in order to prepare for the GDPR.
Step 1 – Awareness
GDPR change: The GDPR will significantly amend current data protection law. Not everyone within an organisation will be aware of this.
Action to be taken: Make the GDPR reforms known to key people in the business (e.g. those with supervisory or decision making powers), and make them aware of the effects of such reforms.
Step 2 – Information you hold
GDPR change: If a business has shared inaccurate personal data with another organisation, the GDPR requires that the business notify that other organisation of the inaccuracy. As part of the new accountability principle, businesses will also have to be able to show how they comply with the data protection principles.
Action to be taken: Businesses should consider undergoing an information audit which documents the personal data held by them, the source of such data and details of with whom they share the data.
Step 3 – Communicating privacy information
GDPR change: Additional information must be given to individuals when their personal data is obtained.
Action to be taken: Review current privacy notices/policies and identify those areas which will require updating to ensure compliance with the GDPR.
Step 4 – Individuals’ rights
GDPR change: Individuals will have enhanced rights to:
- Access their information
- Have inaccuracies corrected
- Have information erased
- Prevent direct marketing
- Prevent automated decision making and profiling
- Data portability
Action to be taken: Review privacy/data protection procedures and policies to ensure that they provide for each enhanced right under the GDPR.
Step 5 – Subject access requests
GDPR change: Current rules for subject access requests are changing – timescales for compliance will be reduced, fees will generally no longer be chargeable and additional information will require to be provided to individuals e.g. about data retention periods and the right to have inaccuracies corrected.
Action to be taken: Review and update current procedures for handling subject access requests.
Step 6 – Legal basis for processing personal data
GDPR change: The legal basis for processing will need to be explained in privacy notices and when responding to subject access requests. The rights afforded to individuals will vary on the legal basis for data processing.
Action to be taken: Review the data processing carried out by the business and then identify and document the legal basis for processing.
Step 7 – Consent
GDPR change: The threshold for valid consent has been enhanced significantly and now includes additional requirements. Pre-ticked consent boxes are specifically banned and clear records to demonstrate consent must be kept. GDPR also gives a specific right to withdraw consent.
Action to be taken: Review how your business seeks, records and manages consent and whether you need to make any changes to your processes. Refresh existing consents if they don’t meet the GDPR standard.
Step 8 – Children
GDPR change: Parental or guardian consent must be obtained to process personal information of children (i.e. those under 13 years of age in the UK). Consent must be verifiable and written in child friendly language.
Action to be taken: Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children.
Step 9 – Data breaches
GDPR change: The GDPR widens the number of businesses obliged to notify the ICO and private individuals of data breaches. Failure to comply with this obligation may lead to significant fines by the ICO.
Action to be taken: Ensure that there are procedures in place to detect, investigate and report on personal data breaches. The ICO suggests assessing the types of data held and documenting which ones would trigger notification in the event of a breach.
Step 10 – Data protection by design and data protection impact assessments
GDPR change: Organisations must adopt ‘privacy by design’ (i.e. an approach that promotes privacy and data protection compliance from the outset). Organisations should also carry out a Data Protection Impact Assessment (“DPIA”) in high-risk situations. If processing is high risk, the ICO should be consulted on whether processing complies with the GDPR.
Action to be taken: Know when DPIAs should be used, who should be involved and the process to be adopted.
Step 11 – Data Protection Officers
GDPR change: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.
Action to be taken: Where required, identify and designate a Data Protection Officer – this can be someone within or outside the organisation. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Select someone who has suitable experience.
Step 12 – International
The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.
GDPR change: The GDPR creates a system for determining which data protection supervisory authority takes the lead when investigating a complaint which is international in nature.
Action to be taken: If operating internationally, determine which data protection supervisory authority will be the lead supervisory authority for the business. If the organisation is complex with decisions regarding data processing activities being made in different places, the ICO recommends that businesses map out where the most significant decisions are made to determine the main establishments and then the lead supervisory authority.