GDPR Compliance: 10 steps to prepare your business
By the 25th of May 2018, all companies that collect data about citizens in the European Union will need to comply with the General Data Protection Regulation (GDPR). The new rules of the GDPR are expected to set a new standard for consumer rights regarding their data; in order to comply and avoid severe penalties, companies will have to put systems and processes in place by the deadline.
Is your business ready for GDPR compliance? Here are 10 steps to take now.
1. Raise awareness
Make sure all decision makers and key people in your organization are informed about the new rules introduced by the GDPR and about how it will impact your business.
2. Document the data you hold
You may need to organize an information audit in order to provide evidence for the personal data you hold. You will have to declare where it came from and who you share it with.
3. Integrate your privacy policy
Review your privacy notices and policy, and integrate any necessary information in order to comply with the GDPR.
4. Cover individual rights
Check your procedures to ensure they cover all the rights individuals have, including how you delete or provide personal data upon request.
5. Manage subject access request
Individuals have the right to get a copy of the information that is held about them. This is known as a subject access request. Update your procedures and plan how you will handle these requests within the new GDPR timescales.
6. Identify lawful basis for processing personal data
According to the GDPR, a company must be able to prove and describe which lawful basis they use to handle personal data. The safest lawful basis for processing is to have a consent with the individual (eg. a specific opt-in box for a newsletter – see point no. 7). Check the GDPR to identify the lawful basis for your data processing activity, then document it and communicate it through your privacy notice.
7. Manage consent
Review how you seek, record and manage consent and see if you need to make any changes.
8. Implement age verification (if needed)
Check out whether you need to put systems in place to verify the age of individuals and to obtain parental or guardian consent for any data processing activity.
9. Prevent data breaches
Commit to doing whatever it takes to detect, report and investigate a personal data breach, reviewing and updating existing procedures when necessary.
10. Designate your Data Protection Officers
Decide who will be responsible for data protection compliance in your organization and assess where this role will sit within your organizational chart. Check out whether you are required to formally designate a Data Protection Officer.
Let us know if we can help.
Do you need legal assistance with matters related to GDPR compliance?