One month to go until GDPR – Is your organisation ready?

With less than one month to go until the GDPR comes into force, organisations of all types may be feeling anxious as to whether or not they will be ready.

Some general reassurance has come from the ICO.  On 12 April, the Information Commissioner herself was quoted in the ICO monthly newsletter saying:-

“for those that feel there is work to be done – and there are many of those … – I want to reassure you that there is no deadline.  25 May is not the end.  It is the beginning”.

Whilst we would recommend that every organisation seeks proper consultation and advice, here are 5 things to do and consider ready for 25 May:-

  1. Data Mapping

In order to be able to show compliance with GDPR, you need to document and understand what personal data you hold, where it came from, how it was collected and with whom and how it is shared.

  1. Governance

The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.

  1. Notices and Privacy Communications

You need to carry out a full review of current privacy notices and ensure that these align with the GDPR requirements.

  1. Consent

Consent must be “freely given, specific, informed and unambiguous”.  A data subject never relinquishes their rights, so managing consent is vital.  In order to comply with the GDPR’s requirements, you need to ensure that consents are sought, obtained and recorded.  As a minimum, you will need to:-

  • request and obtain the data subjects consent;
  • discontinue processing if the data subject denies or withdraws consent; and
  • if dealing with children under the age of 16, obtain consent from the child’s parent or guardian.
  1. Data Security and Reporting Breaches

GDPR requires that appropriate procedures are in place to detect, report and investigate data breaches.  Data security obligations under the GDPR are not too dissimilar to those under the DPA however the GDPR should be a prompt to review data security and more sensitive and confidential personal data. You should also be ready to report any data breaches in line with the 72 hour policy.

The above is by no means all that needs to be done in your preparation however these are some of the key areas to address prior to the 25 May 2018 date.

If you have any queries in relation to GDPR and what your organisation needs to do in order to be ready, please call us on 01603 751926 or contact us via the website to discuss your requirements further.