Twelve Steps to Help You Prepare for the GDPR

Thursday, 8 March 2018

Chamber member Gilson Gray share another one of their informative GDPR blogs with members:   Is your business prepared for the upcoming General Data Protection Regulation (GDPR)?   Time is running out – the GDPR will come into force on the 25th of May 2018, don’t get caught out!   Here are twelve (12) steps to help your business prepare:   1. Information It is essential that you document all personal data that you collect and process in a format that can be audited and regularly reviewed. This would include specifying what types of personal data you collect, how you collect that information, how you obtain consent, where that data is stored, how is it secured, and how long do you retain the information for before deletion.   2. Communication Review your current privacy policies, fair processing notices, consent notices, and contractual terms now and implement any necessary changes to bring the documentation in line with the new transparency, reporting, and auditing requirements.   3. Awareness Raise awareness in your business about GDPR and ensure that all decision makers are involved in GDPR and made aware that the law is changing. GDPR is not an IT only issue, it affects all aspects of a business including physical security.   4. Legal Basis for Processing Personal Data Your business must be able to demonstrate the legal basis for collecting and processing personal data which would include keeping an auditable record of why you need personal data, how you intend to use it, and how long it will be retained for.   5. Consent Is your business correctly obtaining consent? Consent cannot be implied under the GDPR it must be explicit, clear, freely given, requiring a positive opt-in, specific, granular, and kept separate from your other terms and conditions.   6. Subject Access Requests Evaluate your current procedures for complying with Subject Access Requests and ensure you have a system in place to trace personal data and to respond within the new time limits.   7. Individual Rights Evaluate your policies and procedures to ensure that they respect the rights of individuals, including having the necessary technical and organisation means to respond to Subject Access Requests and Erasure Requests (the Right to be Forgotten).   8. Data Breaches Ensure that your business has the necessary measures in place to detect, investigate, and report data breaches. Depending on the type of breach you may also be required to report the breach within 72 hours to the Information Commissioners Office.   9. Privacy by Design and Privacy Impact Assessments Businesses must have systems in place to assess how they process personal data and undertake privacy impact assessments to demonstrate how they intend to protect personal data from breaches.   10. Children If your business collects any information on children then you will need to implement systems to verify individuals’ ages, gather parental or guardian consent, and ensure that your privacy policies can be read and understood by children.   11. Data Protection Officers If your business processes large quantities of personal data or sensitive personal data then you may be required to appoint a Data Protection Officer who will be accountable for your businesses data protection compliance.   12. International Transfers of Personal Data If your business transfers personal data outside of the European Economic Area then you will need to obtain consent from individuals to those transfers taking place.   To find our more or to speak to a member of our Data Protection Team, please visit or call us on 0141 530 2022.