On March 14, 2016, the UK Information Commissioner’s Office (“ICO”) published a guide, Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now. The guide, which is a high-level checklist with accompanying commentary, sets out a number of points that should inform organizations’ data privacy and governance programs ahead of the anticipated mid-2018 entry into force of the GDPR.
The twelve steps recommended by the ICO are described below.
- Awareness. Ensure that decision makers and key members of the organization are aware that the law is changing, and that they appropriately anticipate the impact of the GDPR.
- Information Held. Document what personal data is held, where it came from and with whom it is shared, and consider undertaking an information audit.
- Communicating Privacy Information. Review current privacy notices and formulate a plan for making any necessary changes before the GDPR takes effect.
- Individuals’ Rights. Review procedures to ensure organizations address all of the rights that individuals will have under the GDPR.
- Subject Access Requests. Update procedures, plan how to handle requests within the new time frames and provide the required information.
- Legal Basis for Processing. Review data processing activities and identify and document the legal basis for each type of data processing activity.
- Consent. Review how the organization seeks, obtains and records consent, and consider whether any changes are required.
- Children. Consider implementing new systems to verify individuals’ ages and to gather, where relevant, parental or guardian consent for the data processing activity.
- Data Breaches. Make sure appropriate procedures are in place to detect, report and investigate data breaches.
- DP by Design and DPIAs. Become familiar with ICO guidance on Privacy Impact Assessments and determine how and when they should be implemented.
- DPO. Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance. Determine where the role will sit within the organization’s structure and governance arrangements.
- International. If the organization operates internationally, determine which data protection supervisory authority will be responsible for its regulation.
The ICO notes that organizations that currently comply with existing UK data protection law are likely to be largely compliant with the GDPR, but stresses that a number of the new requirements are more onerous for data controllers. The ICO recommends that organizations map out which parts of the GDPR are likely to have the greatest impact on their business models, and focus on those areas when planning compliance efforts.
Further guidance can be expected from both the ICO and the Article 29 Working Party. In the meantime, the ICO has stressed the importance of planning compliance efforts as early as possible in light of the need for policies and procedures that meet the standards of the GDPR.