A lot is being written about the General Data Protection Regulation, but the ICO as published a guide that should give some clarity on this, and CIO on Demand can help you go through the process.
Will the UK be affected by this as we are heading for Brexit in 2019? The short answer is a definitive YES!
This issue can be easily defined in 12 points:
Are people in your business aware that the law is changing to the GDPR? Is GDPR in the decision makers' radar? This issue will have an impact in all organisations, big or small, and they need to be prepared
Information you hold
An information audit might be a good first step, as you should know and document what information you are storing, and for what purpose, where it came from, and who you share it with.
Communicating privacy information
Are your privacy notices and terms and conditions up to date? If not, it might be time to plan to update them ahead of GDPR
Have you covered all individual rights or do you need to change procedures to make sure you do? This should include planning for deleting personal data and providing it electronically if requested in a standard format.
Subject Access Requests
You should update your procedures to make sure you can handle SAR requests within the new timescales
Lawful basis for processing personal data
You should only process private data in a lawful basis, update your processes to be within GDPR, documenting them and updating your privacy notices to make sure this is explained properly to everyone
Capture of personal data should be reviewed to make sure how you seek, record and manage consent is appropriate or if you need to make any changes. Now is the time to make those changes instead of waiting for the deadline.
Are you verifying individual ages and putting systems in place to seek parental (or guardian) consent for the data you will process?
Procedures should be in place to detect, report and investigate a data breach that includes personal data.
Data Protection by design and Data Protection Impact Assessment
The ICO publishes many useful guideline documents to help with creating your data processes with security and data protection by design, and how to implement this in your organisation.
Data Protection Officers
Someone within the organisation should be designated to take responsibility for data protection compliance. You should consider whether you should formally designate a Data Protection Officer
If you operate in more than one EU country, you should designate a leading data supervisory authority within the EU
1. Awareness >