Countdown to GDPR

With less than 500 days to go until GDPR comes into force a new research report reveals that less than half of UK businesses (47 per cent) have the faintest clue as to the new directive. For those of us at the coalface it seems impossible that anyone; not least a marketer or IT professional, can have escaped the long arms of GDPR – but apparently they have! The issue here is how to reach the 53 per cent that aren’t aware of the changes in legislation coming up in May next year. It’s a hard task to educate people that don’t know they need educating!

In addition to those organisations that are in the dark, there are a number of companies that are in the know, but aren’t doing anything about it. It is estimated that at least a third of organisations are taking a burying-their-head-in-the-sand approach to compliance. And it’s not surprising given some of the more scare-mongering articles out there predicting the cost of it. But whilst adhering to the new legislation won’t be a walk in the park ignoring it will ultimately be far more costly. Therefore the ICO has issued this 12-step plan to help businesses get started. And with 465 days to go the clock is ticking.

Awareness You should make sure that decision-makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.

Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

Communication privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

Individuals’ rights You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

Legal basis for processing personal data You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

Consent You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.

Children You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

Data breaches You should make sure you have the right procedures in place to detect, report and investigate personal data breach.

Data Protection by Design and Data Protection Impact Assessments You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

Data Protection Officers You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organsation’s structure and governance arrangements

International If your organisation operates internationally, you should determine which data protection supervisory authority you come under.