As 25 May 2018 fast approaches, now is the time to put your preparations into overdrive for full implementation of the General Data Protection Regulation.
We have prepared a 12 point guide to help you build a coherent approach to achieving early compliance in your own organisation:
- Leadership: who is taking a lead on GDPR implementation? You need someone to drive this forward.
- Training: staff, senior management team and Boards should all have a basic understanding of GDPR and a detailed understanding of how it affects their part of the business.
- Policies & Procedures: get them reviewed and revised – much is the same as under the DPA 1998 but there are important changes. Devonshires can help you with standard amendments to your P&Ps.
- Data audit: each of your internal businesses should be reviewing the personal information they hold and why they hold it.
- Data cleansing: this is an opportunity to destroy inaccurate and out of date personal information in advance of the enhanced rights of access, erasure and rectification. If it is not necessary, bin it!
- Organisational compliance statements: understand what you do with personal data by creating compliance statements for your organisation and for individual internal departments. This will get your people thinking about what they actually do with personal information and the lawful basis for it.
- Data Protection Officers: are you obliged to appoint a DPO? If so, who will take on the role of DPO and do you keep it in-house or outsource?
- Communications with your customers: data protection is everyone’s business and your customers will be reassured by a business which is ahead of the curve and can demonstrate early compliance with GDPR.
- Data security: review your current security measures and your data breach procedures. Not just technology solutions – in an age of ever-increasing threats of cyber-crime, your staff need to ‘Think Data Security’ in everything they do and fully understand the steps to take in the event of a data breach.
- Privacy Notices and Consent Forms: revise and update well in advance of D-Day. You must identify in a far more specific way precisely what you do and intend to do with people’s data (not just externally, but internally with your staff).
- Data sharing: who do you share data with? Start the conversation with them now about how you are going to regulate your dealings with them in terms of GDPR compliance.
- Standard amendments to contracts: not just ensuring your own contracts and TOBs comply but understanding standard (and non-standard) clauses you may be presented with.