10 Step Guide to Start Preparing your Business for the GDPR
The European General Data Protection Regulation (“GDPR”) focuses heavily on accountability and being able to demonstrate compliance – demonstrating compliance will mean keeping records and implementing appropriate technological systems.
To start preparing your company for compliance, immediate steps include:
1. Audit data
Review what personal data you hold, where it came from, identify on what legal basis you have it and who you share it with. A record should be kept to help demonstrate compliance.
2. Checklist of consent
Under the GDPR consent requires some form of clear affirmative action – pre-ticked boxes or inactivity does not constitute consent – you will no longer be able to rely on an assumed consent. Look at:
- Do you have consent to collect/process the data?
- Do you have consent for how you use the data?
- Do you have consent for other uses of the data (e.g. marketing)?
- Do you have consent for providing the data to third parties?
- Finally, can you provide evidence of this consent?
If you do not have consent, identify the legal basis on which you hold the data and record it
Update your existing policy to include; your identity; how you intend to use the information; the legal basis for processing the data; data retention periods.
4. Individuals rights
Your procedures should provide for all the rights individuals have, such as how you delete/update data and respond to data access requests as these rights are improved significantly under the GDPR.
New rights under the GDPR should be provided for which include the right to object to profiling and automated decision making (such as online credit applications, performance at work analysis etc.) and the right to data portability (you must provide an individual with their data electronically in a commonly used format).
5. Security/Data Breaches
Review your security procedures to ensure that access to personal data is limited to necessary personnel – different types of data may require different levels of security. Reporting of breaches to the Data Protection Commissioners office will be mandatory in most cases within 72 hours.
Ensure you have procedures in place to detect, report and investigate a data breach.
6. Third party contracts
Review third party service providers’ contracts and satisfy yourself that they have proper data protection provisions in place. Establish if any of their processing activities are outside of the EU/EEA area and if so, if they are compliant with current data protection laws and if you have consent to transfer that information.
7. Privacy Impact Assessment
If your company processes data that may result in a “high risk” to the data subjects rights, or there is systematic automated processing that may base a decision or large scale processing of sensitive personal data or criminal convictions and offences, or systematic monitoring of a publicly accessible area on a large scale, you must carry out a privacy impact assessment
8. Appoint a person for data protection matters
The GDPR requires some organisations to designate a Data Protection Officer. However, even if you are not required to appoint a data protection officer, you should consider nominating a person who will deal with all queries arising for data protection.
The GDPR brings in special protection for children’s personal data and you should consider putting systems in place to verify individual’s ages and to gather parental or guardian consent for collecting such data.
10. Multi-nationals, identify your main establishment
The GDPR allows multi nationals to have one main establishment to determine which supervisory authority has jurisdiction – this is where the main administration of the organisation or where decisions about data processing are made.