Consider these 12 items to prepare for the new General Data Protection Regulation (GDPR), arguably the most important change in data privacy regulation in 20 years.
Skip to section:
Your Organization & Its Data
Awareness – Ensure that decision makers and other key people in your organization are aware that the GDPR becomes European Union (EU) law on May 25, 2018. They need to understand the impact this is likely to have on data control, processing, storage systems, and processes.
Information you currently hold – Document what personal data you hold, where it came from, who you share it with, and why it was originally collected. Consider planning and conducting a more formal information audit by consulting with key stakeholders and defining which data has a legitimate business purpose.
Consent and Privacy Notification – Review carefully the various types of data that are processed, controlled, or shared, identifying the legal basis or legitimate business reason for the processing and then documenting it. Remember, too, that your privacy notice must include this information.
International operations – If your organization has data control, processing, or monitoring activities established in more than one EU member state, determine which data protection supervisory authority needs to be selected (the state of your EU headquarters or the location where most processing decisions are made), and then document it. Consult GPDR Article 29 for further information.
Individual Rights & Requests
Individuals’ rights – Check your procedures to ensure that they cover all the rights individuals (natural persons) have, including how you would delete personal data electronically and consistently across all systems that harbor personal information, what common machine-readable format you will use, and how you will handle data portability.
Access requests – Update your procedures for information access requests, and plan how you will handle requests within the new compliance timeframe, including plans to provide any additional information as required. GDPR will, normally, not allow you to charge for complying with a request, and all reasonable requests must be completed within 30 days.
Children – Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity when an individual is under 16 years of age. If your organization routinely processes data of persons younger than 16 years, this aspect of GDPR may have far-reaching implications.
Consent – Review how you are seeking, obtaining, and recording consent, and whether your organization needs to make any changes. Consent must be explicit and not inferred from data subject silence, inactivity, or pre-ticked boxes on web-based or other forms. The UK Information Commissioner’s Office (ICO) offers guidance on consent.
Communicating privacy information – Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Suggesting specific wording changes—in clear, concise, and easily readable language—will prepare your team for compliance.
Data Protection Officer – Consider who in your organization can act as a Data Protection Officer (DPO): someone who takes responsibility for Data Protection compliance. GDPR requires a DPO for organizations that are public authorities, carry out large-scale processing or monitoring of individuals, healthcare data, or criminal convictions. Determine where this role will sit within your organization’s structure and governance arrangements.
Data protection by design, and data protection impact assessments – Familiarize yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs), and formally plan how and when you will conduct them. GDPR requires that systems design includes privacy protection by default, so assessing risks and their severities is paramount.
Data breaches – Ensure that your organization has the right procedures in place to detect, report, and investigate a personal data breach. The timeframe to formally report a breach under GDPR is short, at no later than 72 hours after discovery.
More GDPR resources: