The GDPR comes into force in 7 days
It’s hard to believe that after two years of preparation, the GDPR will officially come into effect this day next week. GDPR has been the buzzword on everyone’s lips for months now, and organisations across the world have been going through their data with a fine-tooth comb to make sure they are compliant with the new legislation.
Despite the two-year transition period and the wealth of GDPR information available, there are still businesses looking for guidance and advice on what they need to do to comply with the GDPR.
Regardless of where your company is located in the world, if you control, collect, or share any personal data belonging to EU citizens, you will need to be compliant with the GDPR.
To ensure your business is on the right track to GDPR compliance, you can follow the below steps:
1. Become Aware – Identify potential areas that could cause compliance problems under the GDPR.
2. Become Accountable – Make an inventory of all the personal data your organisation holds.
3. Communicate with Staff & Service Users – Review your current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing your business engages in.
4. Personal Privacy Rights – Review your procedures to ensure they cover all the rights of individuals including how to delete personal data or provide data electronically.
5. How will Access Requests Change? – Review and update your procedures and plan how your organisation will handle requests within the new timescales. All requests must be made within one month.
6. What is meant by ‘Legal Basis’ – Look at the different types of data processing you carry out and identify your legal basis for doing this and document it. This is very important when consent is relied upon as the sole legal basis for processing data.
7. Using Customer Consent as grounds to process data – If you use customer consent when recording personal data, you need to review how you seek, obtain and record that consent, and assess whether you need to make any changes.
8. Processing Children’s Data – The GDPR will introduce a range of special protections to safeguard children’s data. If your organisation processes the data of underage subjects, you will need to make sure you have the adequate systems in place to verify individual ages and gain consent from guardians.
9. Reporting Data Breaches – Ensure you have the right procedures in place to detect, report and investigate a personal data breach. The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection.
10. Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default – A DPIA is the process of considering the potential impact that a project or initiative might have on the privacy of an individual. It allows organisations to identify potential privacy issues and find a way to mitigate them.
11. Data Protection Officers – The GDPR requires some organisations to designate a Data Protection Officer (DPO). These organisations will include public authorities and organisations that monitor data subjects or process sensitive personal data on a large scale.
12. International Organisations and the GDPR – The GDPR includes a provision that will assist organisations that operate in different EU member states. Multinational organisations will be entitled to deal with one Data Protection Authority, referred to as a Lead Supervisory Authority (LSA) which will act as their single regulating body in the country where they are predominantly established.
If you would like more information on how your organisation can improve its approach to GDPR compliance, click here, to find out how MetaCompliance can help.
DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.