In the website gdprandyou.ie, they talk generally about what individuals and organisations need to go through and know with respect to the new data protection regulation that is due to go live in May this year.
This article summarises the 12 steps that organisations need to consider to try to be somewhat compliant by this date.
- Become aware – It is important that key personnel in your organisation are aware that the law is changing to the GDPR, and start to factor this into their future project planning
- Become accountable and responsible – Make an inventory of all personal data that you hold and examine it i.e. Why are you holding it; How did you obtain it; Why was it originally gathered; How long will you retain it; How secure is it both in terms of encryption and accessibility; do you ever share it with third parties and on what basis might you do so?
- Communicate GDPR with your staff – Review all current data privacy notices alerting individuals to the collection of their data
- Know about Personal Privacy Rights – You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- How will personal data access requests change – You should review and update your procedures and plan how you will handle requests within the new timescales. There should be no undue delay in processing an access request within one month
- What does a ‘Legal Basis’ mean – You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data
- Customer consent as a reason to process personal data – If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous’
- Processing children’s personal data – If the work of your organisation involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians
- Data Protection Impact Assessments (DPIA) – DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them
- Reporting data breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach
- Data Protection Officers (DPOs) – GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale
- Cross-border data processing and the one stop shop – GDPR includes the one stop shop (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data.