The EU General Data Protection Regulations come into effect on 25th May 2018 to replace the Data Protection Directive and organisations that are non-compliant can face large fines.
The aim of GDPR is to protect privacy and replaces laws drafted in 1995 when the Internet was not what it is today.
As well as changes to rules on the location of organisation and fines, the conditions for consent have been strengthened and instead of having a data controller you need to have a Data Protection Officer (DPO).
A DPO must report to the highest level of management and have expert knowledge of data protection law. They can be and employee or an external service provider but must have the resources to do the role and maintain their knowledge. Another key point is that the DPO must not be conflicted by having a dual role of governing data protection, whilst also defining how data is managed.
The 12 steps are
1 – Awareness
Ensure the key people in your organisation know GDPR is coming
2 – Information
Document what personal data you hold
3 – Privacy
Review your privacy notices
4 – Rights
Check your procedures to ensure they cover all the rights individuals have
5 – Requests
Update procedures to handle requests
6 – Lawful Processing
Identify the lawful basis for your processing
7 – Consent
Review how you seek, record and manage consent to use data
8 – Children
Consider systems to verify ages and obtain parental consent
9 – Breaches
Ensure you have the right processes to detect, report and investigate data breaches
10 – Assessments
Familiarise yourself now with the Privacy Impact Assessments
11 – Officer
Designate someone to take responsibility for data protection compliance
12 – International
Determine your lead data protection supervisory authority
If you would like to read more we recommend the Information Commissioner’s Office Website.
Image from Flickr by Descrier.