Meeting the Regulation’s requirements and protecting data subject’s rights is a challenge that faces every organisation. Each organisation is different and the level of effort to become compliant with the regulations will depend on: (a) the amount of personal data held, (b) the number of methods of obtaining personal data and, (c) the level of compliance with current data protection Acts (1988 & 2003).
The following are practical steps your organisation should follow to prepare for the implementation of GDPR.
- Assign responsibility and budget for data protection compliance, consideration of the appointment of Data Protection Officer.
- Brief senior decision makers on the importance of the law and on the consequences that a failure to comply may have for the business in terms of sanctions, penalties and damage to brand and reputation. If found in breach of the regulation fines of up to €20m or 4% of global turnover/€10m or 2% of global turnover-depending on the nature of the breach.
- Make an inventory of all personal data the organisation holds and document the following:
- How was the data obtained?
- Why does the organisation hold the data?
- Is the data still required?
- Is the data safe?
- Who do you share it with?
- Establish which of the data processing activities pose the highest risk for the business and for data subjects and which risks are most likely to engage the high fines under GDPR and allocate resources on that basis. Consider performing a Data Protection Impact Assessment (DPIA) for high risk data.
- Review how you obtain consent for all personal data collected and ensure it is in line with the GDPR requirements, with a particular focus on any data used in marketing activities.
- Establish how the organisation will deal with information requests, correcting inaccuracies, erasing information and data portability.
- Establish a full compliance program incorporating Data Privacy Impact Assessments (DPIAs), regular audits and training.
- Review existing supplier arrangements and procurement contracts to ensure reflect the GDPR’s data processor obligations
- Ensure procedures are in place to detect, report and investigate data breaches.
- Update communicating privacy information. There are some additional things you will need to add to your privacy notice, for example explain the legal basis for processing the data, the organisation’s retention data periods and the right to complain to Data Commissioner if they feel there is a problem with how the organisation is handling their information.
Ensure all the above procedures are documented in a Data Protection Policy Manual, ensure the person responsible for data protection compliance maintains and updates the policy manual and Data Protection is added to the quarterly audit committee meetings for discussion. A Data Protection Policy can go into great detail on how the organisation applies the data protection principles, what procedures it should follow, assigning individual / departmental responsibilities, etc.
A Data Protection Policy is fundamentally a document for internal reference. An internal policy which reflects the fundamental data protection rules, which is enforced through supervision and audit, and reviewed regularly, is a valuable compliance tool.
To find out how we can help you with your Data protection requirements contact a member of our Data Protection team.