GDPR Checklist


On May 25th, the new General Data Protection
Regulations (GDPR) come into force. I’m going to give you a whistle stop tour
of what you need to consider in preparation for this based upon the guidance provided
by the Information Commissioner’s office. So here are twelve things you need to be aware
of. Number one is awareness, you need to ensure that your senior management team and key people
are aware that the law is changing for GDPR and the impact that that’s going to have on
your organisation. Number two is HR. You need to ensure that
your staff are regularly trained around data protection and that employment contracts and
information security systems are updated accordingly. Number three is what information you hold.
You need to be aware of what personal information you hold, where you keep it and who you share
it with. You may need to carry out an information audit in order to establish this. Four, communicating privacy information. You
need to ensure that any privacy notices are updated so that they are in line with GDPR
requirements. Number five is the rights of the individual.
You need to ensure that your systems are able to handle the rights of the individual, which
will include the ability to delete data and also to provide personal data in an electronic
format. Six is subject access requests. You need to
update your procedures to make sure you can handle any requests within the necessary timescales,
providing any additional information that might be necessary. Number seven is the lawful basis for processing
personal data. You should identify how lawfully you will go about processing data in line
with the requirements of GDPR. You should document it and update your privacy notices
to explain it. Eight is consent. You need to review how you
seek, record and manage consents and also to review any existing consents you may have
to decide if they need to be updated in preparation for GDPR. Nine is children. You need to ensure that
your current systems can record the age of an individual so that if necessary parental
or guardian consent can be gained for the processing of appropriate data. Number ten is data breach. You need to ensure
that you have the processes in place to detect, report and investigate any breaches in personal
data. Number eleven is data protection by design
and data protection impact assessments. You need to familiarise yourself with the ICO’s
code of practice around privacy impact assessments, that’s PIAs, and also the guidance from the
Article 29 Working Party and work out when and how you are going to implement these within
your organisation. Number twelve is data protection officer.
You need to decide if you need one within your organisation and where within the structure
and governance arrangements it’s going to sit. Even if you don’t need a data protection
officer , you will need to ensure that you have the skills and the resource to fulfil
your obligations under GDPR. So that’s my whistle stop tour of GDPR. If
you want any further information as well as maybe dispelling the difference between fiction
and fact around GDPR, then please do not hesitate to call us.. We can also provide you with a GDPR Gap Analysis
to help you decide what you’ve got to do between now and 25th May.