In preparation for the GDPR compliance deadline in 2018, the UK Information Commissioner’s Office (ICO) published 12 steps for businesses to take in order to attain compliance nirvana.

We have already published our own guidance on GDPR compliance but the ICO indicates that the 12 steps to take now are:

  • Awareness – make sure that you understand GDPR
  • Information gathering – assess and verify what personal data you hold
  • Transparency – ensure that you have in place plain language and transparent statements as to how you process personal data
  • Individual rights – understand the new rights for data subjects and anticipate how you will need to amend your business practices to respect those rights
  • Subject access requests – update your policies and procedures regarding subject access requests
  • Legitimate processing – understand how you can lawfully process personal data and identify the legal basis for the use of personal data that you hold
  • Consent – consider what plain language “permissioning” statements you will need to have in place
  • Children – be aware that using children’s personal data places strict compliance obligations on the business
  • Data incidents – GDPR introduces data breach notification rules which you need to be aware of
  • PIA and PbD - Privacy Impact Assessments and Privacy by Design are two relatively new concepts mandated by GDPR, so understand how these affect your business
  • Data Protection Officers – many businesses will be required to appoint a data protection officer who will need to be appropriately trained and be able to act without conflict of interest
  • Data transfers – review how you share personal data internationally and consider what solutions GDPR give you in order to remain compliant

In addition to the guidance from the ICO it is expected that the EU Article 29 Data Protection Working Party will produce guidance at a European level over the next 6 months.

Compliance with GDPR will inevitably require that Management assess budgets, technology, training, governance and communications.