10 Apr 2018

12 Steps to GDPR Preparation

The boy scouts amongst you will be very familiar with our approach to GDPR, “Be prepared”. The best and most efficient way to tackle these brand new regulations is to act now and save yourself a last minute panic. You only have until 25th May before GDPR is being enforced, which isn’t long. So grab yourself a cup of coffee and get ready.

We have put together a 12 step program that will set you up perfectly for the GDPR. 12 nice and easy steps that will leave you in a very good position come May. Some parts of the GDPR will seem endless and more unforgiving than others, but it’s important to stay calm. Make sure to give those terrifying areas the due care and attention they deserve, whilst planning your attack.

1. Awareness

Everybody within your organisation needs to be on the same page when it comes to the GDPR. It’s vital you stress just how important these changes are, and the positive effects they are likely to have on your organisation. The decision makers and senior management need to quickly identify any specific areas that could be cause for concern under the GDPR.

2. Information

We’d suggest you take a big piece of A3 paper and start putting together each piece of data you collect, and where you collect it from. Include things like what personal data you hold on customers, where it came from and who you share it with. The GDPR also requires you to maintain records of your processing activities. Each piece of information you hold needs to be as accurate as possible. If you’ve passed data to a third party that’s inaccurate, you need to let them know so they can correct their records.

3. Communicating Privacy Information

It’s time to dust off your widely ignored privacy policy and bring it into the GDPR age. As well as the normal information you have to give, there’s a couple more bits you need to be letting people know. Within your GDPR-ready policy you should be explaining why you need customer’s personal data, as well as how long you’re going to hold onto it. Make sure to keep this information really clear and easy to understand.

4. Individual’s Rights

Under the new GDPR, individuals have a whole host of new rights that you need to be aware of. These rights now include everything from the right to be informed, erasure and more. A full list of the rights can be found on the ICO website here – (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/).

With all these new rights, it’s best to take a step back and look at your current procedures to work out if you’re ready. If somebody wanted all of their personal data deleted, would you know where to look to do that? Don’t forget, any personal data that you provide needs to be in a structured, commonly used and machine readable format, like a CSV file or a PDF document.

5. Subject Access Requests

You need to have the correct procedures in place to be able to provide any and all data, should somebody request it. You will not be able to charge an admin fee, so it’s best the procedure is efficient as possible. You’ll also only have a month to comply, which is a 10 day reduction from the current timeframe. If you’re a larger organisation, it could potentially be worth looking into developing systems that allows individuals to access and manage their own data easily online.

6. Basis For Processing Personal Data

It’s time to stop thinking about “how” you’re going to get individuals data, and focus on “why” you’re getting it. In your privacy policy, you need to clearly explain the reasons you’re gathering each piece of personal data. You should document your legitimate bases in order to help you comply with the GDPR’s ‘accountability’ requirement.

7. Consent

Consent is the main drive behind the entirety of the GDPR coming into effect in May. Initially you need to be reviewing how exactly you’re seeking, recording and managing consent. As this is an entire post in itself, we’ll refer you once again to ICO, who have explained it better than we ever will – (https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf).

In essence, consent must be freely given, specific, informed and unambiguous. Gone are the days of pre-ticked consent boxes and strangely worded tick-boxes. It also needs to be super simple for individuals to withdraw their consent, should they wish to.

8. Children

We’d suggest you start thinking now about whether you need to begin verifying individual’s ages, or how you’re going to obtain parental or guardian consent. Up until now, the DPA offered no protection to children’s data but that’s going to be changing with the GDPR. Within the GDPR it states that a child can give their own consent at 16, but if they’re any younger you will need to get consent from somebody holding parental responsibility.

9. Data Breaches

Those 2 dreaded words that nobody ever wants to hear. The protection of data is the main focus on the brand new GDPR. You need to make sure you’re set and able to detect, report and investigate any personal data breach. You don’t however have to notify the ICO of ALL data breaches, only a select few types. If the breach is likely to result in a risk to the rights and freedoms of the individuals, they need to be notified. This can be anything from resulting in discrimination to potential damage to an individual’s reputation.

10. Data Protection by Design and Data Protection Impact Assessments

In the past it has always been best practice to design your privacy policy around your specific procedures. Under the GDPR this is now a legal requirement. It also makes creating a Data Protection Impact Assessments mandatory. For those who aren’t aware, DPIAs help organisations identify the most effective ways to comply with their data protection obligations and meet individuals’ expectations of privacy. If you’d like a little more information on DPIAs take a peak at the ICO website – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

11. Data Protection Officers (DPOs)

Although DPOs are not required in every organisation, we feel it’s going to be best practice to designate one anyway. What harm can come from having somebody who is officially named to deal with all your data protection issues? It doesn’t have to be an internal team member either, you can hire an external Data Protection Advisor.

12. International

The international aspect of the GDPR only comes in effect if you operated in more than one EU member state. If you do, you’re required to determine your lead data protection supervisory authority and document it clearly. This authority must be situated in the same area as your main registered office is located. All of this is only relevant where you carry out cross-border processing – ie. you have establishments in more than one EU state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.

Do let us know if you have any concerns, or questions regarding what you need to be doing to prepare for GDPR by emailing office@laser.red, or giving us a call on 01472 878496.

The authors

Tom Kelly
Digital Marketer