Brexit will not exempt organisations from GDPR compliance - the government has confirmed that GDPR will apply in the UK. As we are now only a little over a year away from 25 May 2018 it is essential that everyone starts to prepare now for the changes set out in our article GDPR - what are the key changes?
What are the initial steps that all organisations should take, prior to 25 May 2018, to prepare for the GDPR?
Conduct an audit to establish what personal data you currently process. Find out where the data is stored and who has access. Erase any unnecessary or outdated data.
As part of the audit, establish the purpose for which you process the data and the legal basis that you are relying on for processing.
Review all data protection policies and codes of conduct to ensure they comply with the new principles. If these do not exist they should be created as soon as possible.
Review existing supplier arrangements and template contracts to ensure that, in particular, the new direct obligations on data processors are covered.
Review and update existing information notices as the GDPR specifies information that must be provided to individuals about their personal data..
Review insurance arrangements and assess whether your organisation needs data protection coverage.
Consider what grounds for lawful processing do you currently rely on: consent? Performance of a contract? Legitimate interests? Note that public authorities can no longer rely on the ground of "legitimate interests" when processing data.
If you rely on consent, consider how you currently obtain consent. Under GDPR it must be unambiguous, active, and relate specifically to the purposes of the processing. You will no longer be able to rely on pre-ticked boxes or bundled consent.
Consider whether there is a requirement to appoint a DPO.
Train all members of staff on the new rules and ensure that any person likely to receive requests from individuals relating to personal data knows how to deal and respond.
Ensure that the relevant people know who to report to in the event of a breach. Review and update internal breach procedures and prepare incident response plans.
Keep paper trails of all data processing activity, including decisions relating to data processing, to demonstrate compliance. Ensure that privacy impact assessments are carried out when required and keep all relevant documentation.
See our article: ePrivacy Regulation - what are the new cookie laws? for a summary of the draft ePrivacy Regulation that is due to apply from the same day as the GDPR.