1. Learn about what’s coming
If you’re reading this, you’re probably familiar with the GDPR. But according to our GDPR Report, published in July 2017, only 66% of senior management have been briefed on the Regulation.
Senior management will have a big say on how their organisation prepares for the Regulation, so it’s paramount that they know what’s coming, what they need to do and the risks of failing to comply. Everyone else in the organisation responsible for regulatory compliance and data processing will also need to understand their obligations.
The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:
Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:
Most of these rights are similar to those in current data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.
You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.
Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.
There are five other lawful grounds for processing data:
Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.
There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests.
The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.
For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.
Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.
The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.
Although only certain organisations need to appoint a DPO, the Article 29 Working Party recommends that all organisations appoint one as a matter of good practice.
One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.
Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a data protection impact assessment (DPIA) before undertaking new projects or initiatives.
DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.
If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments and data protection by design.
We are running our First Steps to GDPR compliance webinar a number of times over the next few months. The presentation explains the basics of the Regulation and what you need to do before the compliance deadline.