If not, don’t panic. We are not quite on the home straight yet with five months still remaining until the GDPR comes into force on the 25 May 2018. However, with the deadline getting ever closer it is imperative that you do not delay any further.
The practical actions set out below will help you prepare for compliance.
Data mapping: in order to comply, you need to understand what you are dealing with. Data mapping will ensure you understand what data you hold, what you do with it, where you keep it, who you may share it with and what happens when it is no longer required.
Records: the GDPR requires you to keep internal processing records detailing the data processing you carry out, your security measures and your data retention periods. You must produce these to the Information Commissioner if requested to do so.
Written policies: there is a new accountability requirement under the GDPR which places a much greater emphasis on being able to demonstrate exactly how you are complying with the data protection regime. This includes documenting your data handling practices and specific compliance measures. Ensure you update any existing policies to bring them in line with GDPR and identify and produce any necessary new policies.
Awareness and training staff: successful day to day compliance will be dependent on having well-trained staff. All of your staff will need to be trained on your policies and procedures and senior staff may require additional training in core provisions of the GDPR itself.
Reviewing consents: consent must be “freely given, specific, informed and unambiguous” and can be given by a clear affirmative action (e.g. ticking a box) or by a written or oral statement. Consent must be as easy to withdraw as to give and you must record how and when consent was obtained.
Reviewing and updating contracts: the GDPR sets out detailed provisions which must be contained in a written contract between you and any data processors you use. Make sure you have reviewed and updated existing contracts before the deadline and have updated any standard terms or contracts you use.
Appointing a Data Protection Officer (DPO): this is mandatory for some organisations. If required, your DPO must have expert knowledge of data protection laws and can act independently. The DPO role can be outsourced or appointed internally.