How do I prepare for GDPR?

Step 1 – Build Awareness of senior management

Ensure that the senior management teams are aware of GDPR and the likely impact on your organisation to guarantee internal buy-in.

Step 2 – Data status check and documentation

Check your current data status and document:

What personal data do you already hold?
Where did it come from and who have you shared it with?
Where are your vulnerabilities and where can you be held liable?
Where your data currently lives and classify this information.
How long this data is stored in your systems and when it can be deleted?

Step 3 – Privacy notices

Review your current privacy notices:

What updates are needed?
Embed privacy by design and default into all projects – don’t collect more personal data than you need, use anonymisation, pseudonymisation and encryption.

Step 4 – Data subjects’ rights

Check your current procedures to ensure you are able to deliver on all data subjects’ rights. The right to:

Be forgotten; be informed; have data deleted; a copy of their personal data (within a month, free of charge);
Right to data portability – data electronically in a commonly used format;
Right to prevent automated decisions and profiling;
Right to object.

Step 5 – Data subjects’ consent

Assess how you are seeking, obtaining and recording consent:

Are your records accurate, up to date and secure?
Do you have distinct, explicit consent for processing all personal data?
Do you need consent from a person holding parental responsibility? (children can give their own consent at 16, although it can be lowered at 13 for UK).

Step 6 – Data breaches management

Ensure you have appropriate procedures in place to detect, report and investigate any data breaches.

Step 7 – Data Protection by Design and Data Protection Impact Assessments

Familiarise yourself with DPIAs (Data Protection Impact Assessments) and work out when and how to implement these in your organisation (note: exemptions exist for small businesses and small-scale data usage).

Determine whether you need to appoint/contract a DPO (Data Protection Officer) who will be responsible for data protection compliance, acting independently and reporting to the highest levels of management.
Make sure your contracts for all third parties contain the new provisions.

Step 8 – Data Protection Officer

A DPO (Data Protection Officer) is a person – either an employee or an external consultant – who has formal responsibility for data protection compliance within a business. A DPO must be appointed if any of these conditions are met:

The relevant data processing activities are carried out by a public authority or body (where the definition of “public authority or body” is determined by each EU Member State);
The core activities of the relevant business involve regular and systematic monitoring of individual, on a large scale; or
The core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.

If the DPO is within you organization, as an employer you must:

Provide necessary resources to carry out his/her tasks and maintain his/her expert knowledge;
Provide access to personal data and processing operations;
Ensures he/she is involved in all issues relating to the protection of personal data;
Make his/her contact details available to the public and the supervisory authority.