UK DPA’s 12-step checklist to help organizations to prepare for GDPR

Screen Shot 2016-04-16 at 1.35.06 PMThe Information Commissioner’s Office (ICO), i.e. the United Kingdom’s Data Protection Authority, has prepared a checklist with 12 steps that organization can take now to prepare for the General Data Protection Regulation (GDPR) which is expected to come into force in mid- 2018:

  1. Awareness: make sure that decision makers and key people in each organization must be aware that the general data protection will soon be the GDPR.
  2. Information you hold: organize an “information audit”.
  3. Communicating privacy information: review your current privacy notices and make changes necessary in sight of the GDPR.
  4. Individuals’ rights: check procedures to assess if they cover all the rights individuals have
  5. Subject access requests: update procedures and plan how you to handle requests within the new timescales.
  6. Legal basis for processing personal data: look at the several types of data processing and identify (and document) the legal basis for them.
  7. Consent: review how your organization seeks, obtain, and record consent and changes are needed.
  8. Children: plan to implement systems to verify individuals’ ages and to gather parental consent in case of minors.
  9. Data breaches: check if your organization has the right procedure to detect, report and investigate a data breach.
  10. Data Protection by Design and Data Protection Impact Assessments: get familiar with ICO’s guideline “Conducting privacy impact assessments code of practice” and plan to implement in your organization.
  11. Data Protection Officers: Check whether a Data Protection Officer is required for your organization or anyway design a person responsible for data protection compliance. Assess in which department of your organization this person should sit.
  12. International: international operations require determination of which data protection supervisory authority the organization comes under.

See the ICO’s document here.

For more information, Francesca Giannoni-Crystal.