With 177 days to go until The General Data Protection Regulation kicks in, what should businesses be doing when faced with this deadline?

  1. Set up a clear and responsive Governance Structure. Any change project needs clear governance and GDPR is no different - a clear leader and champions embedded around the business is one way of doing it, but what will work for your organization will depend on how your organization works.
  2. Analyse the kinds of personal data you have and what you use it for in a Data Mapping / Data Inventory exercise. You'll no doubt find other things you do that you weren't aware of. 0
  3. This will then inform your Gap Analysis. Analyse your policies, procedures, contracts and the steps you need to take to comply with GDPR. Then you should prioritise these in terms of risk profile.
  4. You'll then have a clear Action Plan which you'll need to implement. The Governance Structure will help you with that, and where you're doing a task across teams, make sure they all do it in the same way.
  5. Keep track of Other Legislative Changes - GDPR is being supplemented by the draft Data Protection Bill in the UK (becoming a new Data Protection Act once it is law next year) as well as the draft ePrivacy Regulation which will regulate electronic marketing and cookies.
  6. Check compliance pre-May. And also ensure you can deliver ongoing compliance to meet the Accountability principle of GDPR - to show how you are compliant as well as being compliant.

The scale of the task The GDPR requires combined with the tight deadline presents many issues for businesses to overcome in creating a plan that addresses all relevant aspects. What are the common risks and mitigations for a GDPR plan?

  1. "We've got 2,000 contracts which need amending for GDPR". Start with a clear template and instructions, and send a briefing note with the changes to the other party, so they understand why the changes are being made. Shoosmiths offers a contract review and negotiation service.
  2. "We've no budget". As well as regulatory fines and potential individual claims, there are benefits too from understanding your data flows - from data optimisation to better marketing to reducing storage or supply chain - all delivering ROI.
  3. "I don't know where to start". The key foundations are governance structure and data mapping. Once these are decided then a workable project plan can be created in manageable pieces.
  4. "What do I need to include in updated contracts?" GDPR specifies what topics need to go in Controller - Processor contracts. Shoosmiths have a template which has clear guidance as well as the pure drafting.
  5. "Our privacy policies need updating - when's the best time to do it?" For rights coming in in May updating of privacy policies should happen once you have the data mapping / inventory in place.
  6. "How do I train the business?" Provide training for the review exercise as well as on an ongoing basis. Shoosmiths is developing an e-learning module to help clients with exactly this.