If your organisation deals with data from people living in the EU, it’s going to have to comply with the new General Data Protection Regulation (GDPR). The GDPR is concerned with making sure people’s personal data is properly looked after and will require that organisations have certain measures in place when it comes into force on 25th May 2018.
The need for the GDPR is precipitated by the increasingly connected way in which we live our lives and the subsequently vast amounts of data that are stored in the cloud. Unsurprisingly, for a regulation that is “designed to harmonise data privacy laws across Europe” the requirements are pretty extensive. The UK’s Information Commissioner’s Office (ICO) has summarised 12 steps that companies need to take in order to prepare for GDPR, which are listed with our own explanations below:
You need to make sure that the decision makers and key people in your organisation know that the GDPR is coming into force and understand what it means.
2. Information you hold
You need to know what personal data your organisation keeps, which may require a data audit.
3. Communicating privacy information
You need to know what your current privacy policies entail, know how they’ll need to change and have a plan for making any changes.
4. Individuals’ rights
You need to put procedures in place to handle all of the rights that individuals have under the GDPR
5. Subject access requests
You need to put procedures in place for dealing with requests from individuals about whether and how your organisation is processing their data .
6. Lawful basis for processing personal data
You need to know if you will be processing data lawfully under the GDPR, know what the lawful basis for your doing so will be and explain that in your privacy notice.
You need to review how your organisation gains consent for processing data and makes any required changes to ensure that the way it does complies with the GDPR.
You need to identify whether you process any children’s data and, if so, put procedures in place to ensure the way you do complies with the GDPR.
9. Data breaches
You need to make sure you have procedures in place to detect, report and investigate any breaches of people’s personal data that you have.
10. Data Protection by Design and Data Protection Impact Assessments
You need to work out if, when and how you need to implement Privacy Impact Assessments in your organisation.
11. Data Protection Officers
You need to designate a qualified person to take responsibility for data protection compliance within your organisation and possibly introduce a formal Data Protection Officer role.
You need to know the main data protection authorities in each of the EU countries your organisation works in and identify procedures for any cross-border data processing that your organisation carries out.
As you can see, there’s nothing that is required of organisations that is unachievable, but there’s potentially a lot of it, depending on your organisation. Actually knowing and remembering all of the requirements is a task in itself, not just while you prepare for the GDPR, but on an ongoing basis when it comes into force too. With that in mind, we’ve developed an e-learning drill that your organisation can use to educate staff about the GDPR and its requirements.