Insights Information Commissioner’s Office publishes 12-step guide to preparing for data protection reform.

The checklist highlights 12 steps organisations can take now to prepare for the EU General Data Protection Regulation (GDPR), which the ICO expects to come into force in mid-2018.

The ICO explains that many of the principles in the new legislation are much the same as those in the current Data Protection Act 1998.  Therefore, if an organisation is complying properly with the current law, then it will have a “strong starting point to build from”.  However, the ICO says, there are “important new elements”, and “some things will need to be done differently”.

Essentially, the ICO says, the new law will enhance the rights of data subjects and place more obligations on organisations to be accountable for their use of personal data.  The twelve points set out in the guidance are intended to be “a helpful starting point” to help break down the legislation into practical areas for action:

  1. Awareness: make sure that decision makers and key people in the organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
  2. Information held: document what personal data is held, where it came from and with whom it is shared. An information audit may need to be carried out.
  3. Communicating privacy information: review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ rights: check procedures to ensure they cover all the rights individuals have, including how personal data will be deleted and how data will be provided electronically and in a commonly used format.
  5. Subject access requests: update procedures and plan how to handle requests within the new timescales and how to provide any additional information.
  6. Legal basis for processing personal data: look at the various types of data processing being carried out, identify the legal basis for carrying it out and document it.
  7. Consent: review how consent is being sought, obtained and recorded and whether any changes need to made.
  8. Children: start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
  9. Data breaches: make sure the right procedures are in place to detect, report and investigate a personal data breach.
  10. Data protection by design and data protection impact assessments: get familiarised now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them.
  11. Data protection officers: designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within the organisation’s structure and governance arrangements.
  12. International: if the organisation operates internationally, determine which data protection supervisory authority the organisation comes under.

The ICO says that its work in preparing for reform will continue while the final texts are being completed and it will also be assessing what guidance is needed in terms of the new Directive, which will come into force at the same time as the GDPR.  To read the ICO’s blog post on preparing for the GDPR and to access the 12-step guide, click here.

Expertise

Topics