The Information Commissioner’s Office (ICO), i.e. the United Kingdom’s Data Protection Authority, has prepared a checklist with 12 steps that organization can take now to prepare for the General Data Protection Regulation (GDPR) which is expected to come into force in mid- 2018:
- Awareness: make sure that decision makers and key people in each organization must be aware that the general data protection will soon be the GDPR.
- Information you hold: organize an “information audit”.
- Communicating privacy information: review your current privacy notices and make changes necessary in sight of the GDPR.
- Individuals’ rights: check procedures to assess if they cover all the rights individuals have
- Subject access requests: update procedures and plan how you to handle requests within the new timescales.
- Legal basis for processing personal data: look at the several types of data processing and identify (and document) the legal basis for them.
- Consent: review how your organization seeks, obtain, and record consent and changes are needed.
- Children: plan to implement systems to verify individuals’ ages and to gather parental consent in case of minors.
- Data breaches: check if your organization has the right procedure to detect, report and investigate a data breach.
- Data Protection by Design and Data Protection Impact Assessments: get familiar with ICO’s guideline “Conducting privacy impact assessments code of practice” and plan to implement in your organization.
- Data Protection Officers: Check whether a Data Protection Officer is required for your organization or anyway design a person responsible for data protection compliance. Assess in which department of your organization this person should sit.
- International: international operations require determination of which data protection supervisory authority the organization comes under.
See the ICO’s document here.
For more information, Francesca Giannoni-Crystal.