Is your Company ready For GDPR ?
With only 4 months left, many of our clients are now well under way with their GDPR Preparations. If your company holds data on individuals then their are 12 steps you should be taking right now !
You should make sure that decision makers and key
people in your organisation are aware that the law is
changing to the GDPR. They need to appreciate the
impact this is likely to have.
You should document what personal data you hold,
where it came from and who you share it with. You
may need to organise an information audit.
You should review your current privacy notices and
put a plan in place for making any necessary
changes in time for GDPR implementation.
You should check your procedures to ensure they
cover all the rights individuals have, including how
you would delete personal data or provide data
electronically and in a commonly used format.
You should update your procedures and plan how you
will handle requests within the new timescales and
provide any additional information.
You should identify the lawful basis for your
processing activity in the GDPR, document it and
update your privacy notice to explain it.
You should review how you seek, record and manage
consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the
You should start thinking now about whether you
need to put systems in place to verify individuals’
ages and to obtain parental or guardian consent for
any data processing activity.
You should make sure you have the right procedures
in place to detect, report and investigate a personal
You should familiarise yourself now with the ICO’s
code of practice on Privacy Impact Assessments as
well as the latest guidance from the Article 29
Working Party, and work out how and when to
implement them in your organisation.
You should designate someone to take responsibility
for data protection compliance and assess where this
role will sit within your organisation’s structure and
governance arrangements. You should consider
whether you are required to formally designate a
Data Protection Officer.
If your organisation operates in more than one EU
member state (ie you carry out cross-border
processing), you should determine your lead data
protection supervisory authority. Article 29 Working
Party guidelines will help you do this.