12 Steps to Data Heaven

EU Directive cartoon-proposals

The new General Data Protection Regulation will become law in June 2016 and organisations have only 2 years to implement changes to be legal and compliant.

Here are 12 steps to take now : endorsed by Christopher Graham  and the Information Commissioner’s Office  ICO.

1. Build Awareness

You need to ensure that CEO and Board members and key stakeholders are aware that the law is changing to the GDPR , and appreciate the impact it’s likely to have. Many organisations I have been talking to aren’t aware at a Board Level of what is coming

2. Document Information you Hold

You should document what personal data you hold, where it came from and who you share it with, probably need to organise an information audit

3. Communicating privacy information

Review all current privacy notices and put a plan in place to put changes in place now so that data collected for the next 2 years is valid once regulation implemented

4. Individuals Rights

You should check your procedures to ensure that they cover all the rights individuals have , including how you would delete personal data or provide data electronically and in a commonly used format

5. Subject Access requests

Will not be able to charge so they will increase in volume: Plan how you will handle requests within the new timetables ( a month) and provide any additional information. Thought leading organisations may automate SARs to allow any customer to see all the date help on them

6. Legal Basis for processing Personal Data

Look at the various types of data processing that your organisation carries out, be clear on the legal basis for carrying it out and document it

7. Consent

Review how you are seeking, obtaining and recording consent, and agree how you need to implement any changes

8. Children

You should be looking at putting in systems and processes to verify individuals ages and to gather parental or guardian consent for data processing activity

9. Data Breaches

Any Breach no matter how small or sensitive needs to be reported. Review procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact assessment.

Familiarise yourself and organisation with the guidance from iCO on privacy

11. Data Protection Officers

Designate / Recruit a Data Protection Officer to be responsible for data protection compliance and assess where role will set

12. International

If your organisation is international be clear where your home supervisory body is that you come under.

Author: Andrew Mann

Managing Partner at NorthBailey. Having had senior marketing & insight roles at Tesco, Sainsbury's, Asda, Coop and M&S, I'm now using my experience & network to solve strategic marketing problems for NorthBailey clients

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: