12 steps to GDPR compliance

Although the 25 May 2018 deadline has passed, this is not the end of the compliance journey for organisations. Initial preparation was made easier for businesses by the introduction of a 12-step checklist by the Information Commissioner’s Office (the ICO), which highlights and codifies the essential steps for businesses to take in order to prepare for the GDPR.

12-Step Checklist

Step 1 – Awareness

GDPR change: The GDPR will significantly amend current data protection law. Not everyone within an organisation will be aware of this.

Action to be taken: Make the GDPR reforms known to key people in the business (e.g. those with supervisory or decision making powers), and make them aware of the effects of such reforms.

Step 2 – Information you hold

GDPR change: If a business has shared inaccurate personal data with another organisation, the GDPR requires that the business notify that other organisation of the inaccuracy. As part of the new accountability principle, businesses will also have to be able to show how they comply with the data protection principles.

Action to be taken: Businesses should consider undergoing an information audit which documents the personal data held by them, the source of such data and details of with whom they share the data.

Step 3 – Communicating privacy information

GDPR change: Additional information must be given to individuals when their personal data is obtained.

Action to be taken: Review current privacy notices/policies and identify those areas which will require updating to ensure compliance with the GDPR.

Step 4 – Individuals’ rights

GDPR change: Individuals will have enhanced rights to:

  • Access their information
  • Have inaccuracies corrected
  • Have information erased
  • Prevent direct marketing
  • Prevent automated decision making and profiling
  • Data portability

Action to be taken: Review privacy/data protection procedures and policies to ensure that they provide for each enhanced right under the GDPR.

Step 5 – Subject access requests

GDPR change: Current rules for subject access requests are changing – timescales for compliance will be reduced, fees will generally no longer be chargeable and additional information will require to be provided to individuals e.g. about data retention periods and the right to have inaccuracies corrected.

Action to be taken: Review and update current procedures for handling subject access requests.

Step 6 – Legal basis for processing personal data

GDPR change: The legal basis for processing will need to be explained in privacy notices and when responding to subject access requests. The rights afforded to individuals will vary on the legal basis for data processing.

Action to be taken: Review the data processing carried out by the business and then identify and document the legal basis for processing.

Step 7 – Consent

GDPR change: The threshold for valid consent has been enhanced significantly and now includes additional requirements. Pre-ticked consent boxes are specifically banned and clear records to demonstrate consent must be kept. GDPR also gives a specific right to withdraw consent.

Action to be taken: Review how your business seeks, records and manages consent and whether you need to make any changes to your processes. Refresh existing consents if they don’t meet the GDPR standard.

Step 8 – Children

GDPR change: Parental or guardian consent must be obtained to process personal information of children (i.e. those under 13 years of age in the UK).  Consent must be verifiable and written in child friendly language.

Action to be taken: Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children.

Step 9 – Data breaches

GDPR change: The GDPR widens the number of businesses obliged to notify the ICO and private individuals of data breaches.  Failure to comply with this obligation may lead to significant fines by the ICO.

Action to be taken: Ensure that there are procedures in place to detect, investigate and report on personal data breaches. The ICO suggests assessing the types of data held and documenting which ones would trigger notification in the event of a breach.

Step 10 – Data protection by design and data protection impact assessments

GDPR change: Organisations must adopt ‘privacy by design’ (i.e. an approach that promotes privacy and data protection compliance from the outset). Organisations should also carry out a Data Protection Impact Assessment (“DPIA”) in high-risk situations.  If processing is high risk, the ICO should be consulted on whether processing complies with the GDPR.

Action to be taken: Know when DPIAs should be used, who should be involved and the process to be adopted.

Step 11 – Data Protection Officers

GDPR change: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.

Action to be taken: Where required, identify and designate a Data Protection Officer – this can be someone within or outside the organisation. This will be an important role for the organisation in terms of ensuring compliance with the GDPR. Select someone who has suitable experience.

Step 12 – International

The GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.

GDPR change: The GDPR creates a system for determining which data protection supervisory authority takes the lead when investigating a complaint which is international in nature.

Action to be taken: If operating internationally, determine which data protection supervisory authority will be the lead supervisory authority for the business. If the organisation is complex with decisions regarding data processing activities being made in different places, the ICO recommends that businesses map out where the most significant decisions are made to determine the main establishments and then the lead supervisory authority.

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts

  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… https://t.co/LfaBwKCeXC 19 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… https://t.co/BCgW2nHnCR 23 hours ago
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… https://t.co/2XBrafRQ22 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021