With the new data protection laws coming into full effect as of the 25th of May 2018 it is even more important to make yourself and your Business aware of everything that needs to be in place by this date.
Here are some steps you and your Business can take to make sure there are no breaches of any new data protection laws.
Awareness. You should make sure that all the people in your Business that should be aware of the changes are, as well as yourself.
Information you hold. You should make a document what personal data you hold, where it came from and who you share it with. An information audit would be helpful for larger businesses.
Communicating privacy information. You should look at your current privacy notices and settings on any communication you have and make any changes by May 25th.
Individuals’ Rights. You should check that all your procedures that involve any member of staff within the company historically and currently keep within the guidelines for Individuals rights.
Subject access requests. You should update how your business handles such requests and plan how you will approach these requests in the recommended timeline in the future.
Lawful basis for processing personal data. You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Consent. You should look at how you ask for, manage and record consent and look at whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Children. You should start thinking about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing.
Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal breach.
Data protection by design and data protection impact assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from article 29 working party and work out how and when to implement them in your organisation.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisations structure. You should consider whether you are formally required to formally designate a Data Protection officer.
International. If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority. Article 29 Working party guidelines will help you do this.
If you feel you need to know more about the new Laws and Regulations visit www.ico.org.uk or there are lots of courses being held around the country, which is also a great opportunity to meet other Businesses and find out how they are preparing.