The new General Data Protection Regulation will become law in June 2016 and organisations have only 2 years to implement changes to be legal and compliant.
Here are 12 steps to take now : endorsed by Christopher Graham and the Information Commissioner’s Office ICO.
1. Build Awareness
You need to ensure that CEO and Board members and key stakeholders are aware that the law is changing to the GDPR , and appreciate the impact it’s likely to have. Many organisations I have been talking to aren’t aware at a Board Level of what is coming
2. Document Information you Hold
You should document what personal data you hold, where it came from and who you share it with, probably need to organise an information audit
3. Communicating privacy information
Review all current privacy notices and put a plan in place to put changes in place now so that data collected for the next 2 years is valid once regulation implemented
4. Individuals Rights
You should check your procedures to ensure that they cover all the rights individuals have , including how you would delete personal data or provide data electronically and in a commonly used format
5. Subject Access requests
Will not be able to charge so they will increase in volume: Plan how you will handle requests within the new timetables ( a month) and provide any additional information. Thought leading organisations may automate SARs to allow any customer to see all the date help on them
6. Legal Basis for processing Personal Data
Look at the various types of data processing that your organisation carries out, be clear on the legal basis for carrying it out and document it
Review how you are seeking, obtaining and recording consent, and agree how you need to implement any changes
You should be looking at putting in systems and processes to verify individuals ages and to gather parental or guardian consent for data processing activity
9. Data Breaches
Any Breach no matter how small or sensitive needs to be reported. Review procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact assessment.
Familiarise yourself and organisation with the guidance from iCO on privacy
11. Data Protection Officers
Designate / Recruit a Data Protection Officer to be responsible for data protection compliance and assess where role will set
If your organisation is international be clear where your home supervisory body is that you come under.