Whilst it may seem like miles away, time is passing and we’re only 15 months from the implementation of the new General Data Protection Regulations.
The Information Commissioner’s Office (ICO) continue to issue warnings that ignorance of the new rules will not garner sympathy. Breaches will be treated as such and with fines set to soar, every company needs to know its obligations. As such, Data Bubble welcomes the creation by the ICO of a 12-step guide on GDPR preparation. With this in mind, we bring our summary, along with the link to the guide itself.
The 12 Steps of GDPR Preparation
Key decision-makers within your organisation need to familiarise themselves with the imminent changes. Consider impact, compliance and the additional resources required to ensure all is in place when the time comes.
2- Information You Hold
Accountability plays a large part in GDPR, so the best practice is to document the personal data you hold. Keep a record of where it came from, when and who it’s shared with. Ensure processes are in place to notify other areas with the access of changes to the data as they happen.
3- Communicating Privacy Information
Current privacy policies for many companies will fall short of what is required under GDPR. Additional information, such as retention periods and customers’ right to complain to the ICO, will need to be evident going forwards.
4- Individuals’ Rights
Your procedures for complying with the likes of inaccuracy corrections, deletions and requests to cease marketing must be robust. The new rules are focused on giving individuals more control over the use of their data, and rightly so.
5- Subject Access Requests
Rules regarding SARs will change under GDPR. Time scales afforded to companies to comply with a SAR will shorten and the current charging policy will change. Ensure you are familiar with the changes and best-equipped to handle them under the new rules.
6- Legal Basis for Processing Personal Data
In order to process somebody’s personal information, you must have a legal basis for doing so. Those bases include where you have consent, to fulfil a contract, to comply with a legal obligation, and more. Make sure you know the basis for processing someone’s information and document it.
Under GDPR, consent must be freely given, specific, informed and unambiguous. It must be gained through positive action on the part of the person. Reliance on pre-ticked boxes, silence or inactivity will not be adequate. Review your processes as the onus is upon you to demonstrate compliance.
GDPR will bring with it special protection for children’s personal data. Parental consent will be required in order to process their personal data. If this affects your business, ensure you are familiar with your new obligations.
9- Data Breaches
The new regulations will include specific and strict time frames for the notification of data breaches, whether these be to the regulatory bodies or to the individuals concerned. Make sure your procedures are adequate to detect, report and investigate any breaches.
10- Data Protection by Design and Data Protection Impact Assessments (DPIAs)
A DPIA is a process to assist companies in identifying and minimising the privacy risks of new policies and projects.
11- Data Protection Officers (DPO)
Certain organisations will need to appoint a DPO. Make sure you know now whether this requirement will affect you as part of your GDPR preparation.
If your organisation works internationally, make sure you know which data protection supervisory authority you come under.
In short, the key to ensuring compliance when the new regulations take hold is to be prepared. Take a leaf out of the cub scouts’ rulebook. Remember the 6 Ps? If not, give us a call and we’ll explain!
We hope you find this article on GDPR preparation helpful and invite you to read the whole of the ICO’s 12-Step Guide by clicking HERE
For further information about GDPR, or other topics affecting the marketing industry, why not visit our website www.databubble.co.uk or call Joanne or Steve.