GDPR: 12 Steps For Readiness Assessment
After months of warning the new General Data Protection Regulation (GDPR) is now imminent. On 25th May 2018, GDPR will come into force, affecting any organisation that collects, holds, processes or transfers personal data on individuals resident in the EU. Your customers; your employees; and your suppliers.
Companies are starting to panic. Solicitors across the country are fielding calls from unprepared clients to find out what needs to be done. Some companies, such as Wetherspoons, the national pub chain, decided not to takes risks, simply deleting their entire database.
You don't need to take such a radical step. But you do need to get ready, before the 25th!
Resources To Help With GDPR
Thankfully, there are extensive resources available to help you get ready. Some of the most useful can be found on the Information Commission Officers (ICOs) website, which we’ve collected for you here:
FAQs for the following sectors:
Guide to the General Data Protection Regulation (GDPR).
A self-assessment checklist that includes new checklists for data controllers and processors.
These guides and checklists are designed for those who handle data on a daily basis or have operational and legal responsibilities to ensure data is compliant. Because many organisations have panicked about GDPR, the ICO has also published several myth-busting blogs hoping to calm various worries surrounding this new legislation.
Numerous law and IT companies, such as ourselves, have also been working hard to reassure clients and set the record straight around GDPR.
For more support you can also download IBM's useful whitepaper - Pushing The Start Button On Information Governance.
At this point in GDPR preparations it's worth running through a simple checklist internally to see where you are ready and what else needs doing. To help you prepare and assess your GDPR readiness, we’ve compiled the following list based on best practices and simple steps that any organisation can follow.
GDPR: 12 Steps to Success
#1: Awareness
Make sure that those with a legal responsibility for the collection, storage and safeguard of data are aware of their role and duties in relation to the new law. They need to appreciate and understand the impact, ideally putting in proactive changes depending on your preparedness. Those with operational, day-to-day responsibilities, especially if this involves third-party, software or supplier relations, should already be making changes before 25 May 2018.
#2: Conduct an information audit
- What personal data do you process?
- Where did it come from?
- Did you get this with the consent of the data subject(s)?
- And do you share it with any other organisation for any purpose?
Be confident where your data comes from, and if you don't have consent, err on the side of caution and delete personal data that is within your or third-party systems without consent.
#3: Review your Privacy Policy
Does your current privacy policy go far enough to include GDPR? If not, now is the time to review and make changes to this policy, and communicate those changes to your customers and employees.
#4: Individual rights
Consumers have new rights under GDPR. Does your privacy policy, and anything related, explain how you will respond in the event of a data breach, how people can request and be sent their data, and how this will be deleted if requested?
#5: Subject access requests
Consumers can request information more freely than previously allowed under data protection laws. Make sure processes are put in place to share this data with those who ask. Failure to do so could constitute a breach of the new regulations.
#6: Clearly explain why you process customer data
Under Data Protection, this didn't need to be as clear. Now it does. You need to update your privacy policy to explain why your organisation processes personal data and whether this is done with a third-party, and whether any of that data crosses EU borders. If so, Article 29 Working Party guidelines will help you work out your primary data supervisory authority.
#7: Consent
A key one, and one of the main buzzwords around GDPR: Consent. Review your current policies for consent, make sure you make it clear how you ask for, record and manage consent. Make changes now if these procedures fall short of GDPR standards.
#8: Children
Now is also a good time to check if you hold any children’s data and whether you need to put in place systems for verifying ages, or receiving parents or guardians consent for collecting and processing data.
#9: Data breaches
What systems do you have in place for preventing a data breach, and also identifying and notifying those whose data has been subject to a breach? Under the new rules, failure to notify in a timely fashion could result in a large fine.
#10: Data Protection by Design
An impact assessment might be required, and for many medium and large organisations, they should be ready to implement Data Protection by Design as part of getting ready for GDPR.
#11: Data Protection Officers
In some organisations, this is going to be a full-time role. In others, a consultant can fill the gap, not unlike appointing an interim or retainer-based Finance Director, HR Manager or Health & Safety Officer. Work out where this role will sit in your structure and governance requirements.
#12: Multi-country impacts
For those operating in multiple countries, you would benefit from referring to Article 29 Working Party guidelines, so you know which EU country authority is your primary data protection supervisory organisation. It may also be helpful to contact them if you transfer EU citizens’ data outside of the European Economic Area.
We know there is a lot to think about. Please get in contact if you need help and support: We are here to work with our clients to get them ready for GDPR.