Social media activity over the weekend highlighted the fact that there were just 100 days to go until Christmas.
However: UK businesses would be wise to sideline the countdown to Santa for the moment as there’s another ticking timeline which could cost organisations up to 20 million Euro or 4% of global turnover, if ignored. In 249 days and on 25 May 2018 the EU General Data Protection Regulation (GDPR) comes into force, heralded by the Information Commissioner as “the biggest change to data protection law for a generation”.
So whilst we’re all familiar with the Army’s acronym of the Seven P’s of Planning – Proper Planning and Preparation Prevents Particularly Poor Performance – how should businesses prepare for the GDPR? The Information Commissioner’s Office has produced a 12 step checklist which highlights the key steps businesses must take now, at the eight month and counting stage. This is a summary of those 12 steps together with recommended action points:
- Awareness Upskill your key people on the GDPR, it’s scope and scale.
- Information you hold Conduct a data audit – what, where, when, why, how you use data.
- Communicating privacy information Review and revise the content of your existing privacy notices and amend accordingly, in line with the GDPR.
- Individuals’ rights Review and revise the content of all relevant data management policies / procedures and amend accordingly, in line with the GDPR particularly where there are enhanced rights.
- Subject access requests Understand and implement three changes regarding additional information to be provided; no fee requirement; reduced timescale for compliance.
- Legal basis for processing personal data Understand, identify and document your business’ basis for processing data, ensuring this basis is reflected / explained in your privacy notice.
- Consent Review and revise how your business asks for and records consent, and amend accordingly, in line with the GDPR.
- Children Review and revise how your business verifies ages and seeks consent, in line with the GDPR.
- Data breaches Review and revise how your business detects, reports and investigates data breaches; the GDPR imposes a 72 hour reporting timescale which if breached, can result in a 10 million Euro fine.
- Data protection by design and data protection impact assessments Upskill on what they are; when they should be used within your business; review the ICO’s code of practice on Privacy Impact Assessments for detailed guidance.
- Data protection officers (‘DPO’) Decide who is responsible for data compliance – assess whether the GDPR requires your business to formally appoint a DPO.
- International Identify your business’ supervisory authority if it operates in more than one EU member state.