Some Guidance at last
The Information Commissioner has at last issued some guidance on the steps the companies need to take before May 25th. As a business involved with looking at companies data, we have added in a couple of our own.
Make sure your data is clean. Ensure that deceased individuals and companies are removed or identified, addresses are all correct and you are aware of which phone are for example on TPS or CTPS if you are cold calling If you are not sure about of data then click here
Make sure that decision makers and key people in the organisation are aware that the UK Data Protection law is changing to the GDPR. They need to appreciate the impact this is likely to have. Action points should be in place prior to May 25th, 2018
3.Information you hold
Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5.Communicating privacy information
You should review your current privacy notices and have a plan in place for making any necessary changes in time for GDPR implementation.
6.Subject access requests
You should update procedures and plan how to handle requests within the new timescales and provide any additional information at no charge to the recipient.
7.Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard before May 25th
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. This includes loss of memory sticks, PC’s and external data theft
Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
11.Data Protection by Design and Data Protection Impact Assessments
Make yourself conversant now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party. Work out how and when to implement them in your organisation.
12.Data Protection Officers
Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.