Ahead of these changes, the UK Information Commissioner’s Office has issued a 12-step checklist to encourage businesses and individuals to start preparing now, despite the risk of the UK voting for Brexit in the upcoming EU referendum.
Businesses which are already compliant with the current DPA will be in a strong position to meet the requirements of the GDPR. Nevertheless, there are differences (not least, increased fines for non-compliance); here are 12 steps you should follow now:
- Awareness: ensure key decision-makers are aware of the changes, their likely impact and implications for resources.
- Information audit: document what personal data is held and where, the sources of that data, and any organisations with whom the data is shared.
- Privacy notices: review privacy notices in light of the anticipated GDPR changes.
- Individuals' rights: check procedures for managing requests from individuals to exercise their rights.
- Subject access requests: update policies and procedures for handling Data Subject Access Requests (DSAR).
- Legal basis for processing personal data: examine and document what data processing is carried out by your organisation and the legal basis (e.g. individual consent) for this.
- Consent: check how consent is sought, obtained and recorded, and consider whether changes are needed.
- Children: review how you verify children’s ages and parental consent where necessary.
- Data breaches: there will be a new general duty to notify the ICO of certain types of breaches.
- Data protection by design and data protection impact assessments: assess how these apply to your organisation.
- Data Protection Officers: designate a Data Protection Officer where required
- International: assess which data protection authority regulates your organisation
If you have any specific queries, please contact data protection expert Graeme Fearon on 0117 930 9557 or gfearon@thrings.com.