10 Step Action Plan for GDPR Compliance
1. Educate
Train your employees, particularly decision makers, about the GDPR and its impact.
e.g. Arrange appropriate staff training. Cover off GDPR basics as well as your own arrangements for data security and cyber-crime awareness.
Resources
ICO Small Business Helpline 0303 123 1113
2. Audit
Check what personal data you hold and where it is kept. Where does it came from and who do you share it with? Maintain relevant documentation on your data processing activities.
Update any existing records. An internal audit of data held may be needed to create a data flow map.
3. Privacy by Design
Consider whether a Data Privacy Impact Assessment (DPIA) would be necessary and/or helpful and familiarise yourself with the ICO guidance on “privacy by design”: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
Currently you must carry out a DPIA where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. “Privacy by design” measures could include: data minimisation; anonymization and creating and improving security features on an ongoing basis.
Resources ICO Data Protection Impact Assessment
4. Privacy
GDPR requirements mean your privacy notice must include how long you retain personal data, details of any sharing of personal data with third parties, an explanation of any profiling activities undertaken, how individuals can exercise their rights, where to send complaints and if non-EU countries will process personal data. You may need your IT support to produce layered versions for websites. A Privacy Notice should be given to all data subjects when the data is collected – it does not have to be provided in hard copy but it must be readily available and you must be able to show it was brought to the person’s attention.
Resources
5. Lawful Processing
Establish your grounds for lawful processing including how you are seeking, obtaining and recording consent
There are various grounds for lawful processing (which do not require consent) including where processing is necessary for the performance of a contract or to enter into a contract. However, consent is likely to be required for the use of special category data and data on criminal convictions (formerly known as sensitive personal data) and to enable the use of data for some marketing purposes.
There is no set time limit for the validity of consent. ICO advises that firms should review and refresh consent as appropriate to the context – every 2 years could become best practice. Any existing consents should be checked to ensure they are positive and informed and refreshed as appropriate. The Privacy and Electronic Communications Regulations (PECR) should be considered in relation to electronic marketing
Resources
6. Deletion
Create a procedure to handle subject access and “right of erasure” requests with no charge and in good time.
Data subjects should be able to obtain the personal information you hold about them without delay and, unless there are extenuating circumstances, within a maximum of a month. You may also need to provide the person making the request with information on how long you will hold their data as well as giving them the right to have their data updated (rights which are generally explained in your Privacy Notice). Generally, you will no longer be able to make a charge for providing the information.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances; there is no absolute “right to be forgotten” and firms may have valid grounds to challenge such a request and retain certain data.
Resources
7. Portability
Create a procedure to provide data electronically and in a commonly used format to facilitate an individual’s right to data portability. Data subjects have a right to obtain and reuse their personal data for their own purposes across different services, so you should be able to extract the relevant data from your systems and provide it in a suitable form within one month. Refer to your software provider, as necessary.
Resources
8. Breach
Check that you have procedures in place to detect, report and investigate data breaches. Assess the data you hold and identify which types might fall within the notification requirement if there was a breach. Designate a person to whom any breach or suspected breach is reported and ensure that person knows the notification procedure.
Resources
9. Governance
Ensure appropriate governance measures are in place. If required to do so, designate a Data Protection Officer, or someone who is responsible for data protection compliance. Decide where this role will sit within your organisation’s structure and governance arrangements.
You are expected to put into place comprehensive but proportionate governance measures to ensure compliance with GDPR. Their scale of operation means that most will not require a DPO but it is worthwhile to allocate responsibility for GDPR compliance to a senior person who is well versed as to the requirements and is up to date with the minor details of the regulation.
Resources
10. Monitoring
Establish and maintain appropriate ongoing data protection policies and regularly review the effectiveness of your data handling/processing activities and security controls.
Data protection and data security policies should be created as part of the firm’s framework of policies and procedures. It would be helpful to identify any areas that could cause compliance problems under the GDPR and record them on your risk register.
For a free copy of my GDPR checklist you subscribe here on the website.
I hope you have found this useful? If you have any comments or suggestions please feel free to leave a comment. This is still an evolving topic so I will be trying to update it as more information becomes available.
