In the latest in our series of briefings on preparing for GDPR, we focus on the steps necessary to implement a GDPR compliance programme. With only one year to go until GDPR comes into force on 25 May 2018, it is vital that organisations take action now to ensure that they are ready to comply with GDPR, in order to be in a position to meet regulatory standards, and minimise risk.
The aim is to be compliant by 25 May 2018 but this may be challenging so it is sensible to focus on the most important and risky areas first. The key features of the implementation of a compliance programme are to:
- Assemble a project team;
- Assess potential areas of exposure in your current working processes;
- Develop a clear plan of action to be ready for 2018;
- Implement changes needed in a logical / prioritised manner; and
- Establish an effective information governance framework to manage risk.
Assembling the team
Implementation of a GDPR compliance programme requires a substantial investment of money, organisational resources and management time. It is vital to identify key stakeholders and ensure that the organisation has board or senior management buy-in to support the project.
Employers should first determine whether or not a DPO must be appointed. Even if the organisation is not required to appoint a DPO, it should assign an individual the responsibility for compliance with data protection legislation. The data protection lead will then need to bring together a team from within the organisation with the necessary skills and expertise . Legal, HR, IT, and compliance teams will need to take an integrated approach. Technical and/or specialist support may be required to understand where the organisation currently holds personal data, and whether or not current systems are capable of operating within the parameters required to comply with the GDPR.
Once the team is in place, they will need to work with each business area to identify the specific privacy risks that the organisation is exposed to and how these can be mitigated or avoided.
Conducting an initial risk assessment
The first step is to undertake an assessment of current practice – how the business collects, uses and shares personal data and how you regulate all this effectively within the business (ie proper record keeping, training, guidance, audit processes).
The next step is to identify and prioritise the gaps between where the organisation is now and where it wants to be by reviewing existing data practices against GDPR requirements. This exercise should be used to assess the level of privacy risk that the organisation is exposed to, based on:
- The amount and type of data processed (eg if it is sensitive personal data);
- The reason for processing;
- Who it is shared with (eg if it is transferred to processors or other parties); and
- Locations in which processing occurs (eg if it is transferred outside the EEA).
Establishing a GDPR compliance action plan
Once the organisation has conducted an initial audit and risk assessment, the next step is to create an action plan and timeline for developing and implementing a GDPR compliance programme. This should include the following steps:
- Prioritise compliance activity and remedial measures based on areas with the highest risk;
- Create a data register to meet GDPR recordkeeping requirements;
- Review systems and processes. Can the organisation’s IT systems and processes cope technically with the expanded individual rights?
- Create and/or review privacy policies and procedures with clear and practical guidance on GDPR compliance;
- Review and update current privacy notices;
- Integrate privacy by design and default. Collect the minimum amount of information and consider privacy from the outset of each project involving personal data;
- Prepare for data breach notifications. Develop a data breach response programme for prompt notification and investigation.
- Provide training on data protection policies and procedures, and specific training for individuals who process data;
- Implement regular audits against defined metrics (eg number of privacy complaints, completion of training, data breaches suffered) to assess the ongoing success of the compliance programme; and
- Review staffing requirements for ongoing data protection compliance;