GDPR compliance checklist: What actions do you need to take?

The General Data Protection Regulation (GDPR) has been five years in the making, and up until now it’s been a waiting game for most businesses as the finer details of the regulations have been ironed out by the European Union. But on April 14th 2016, the European parliament finally voted through the new rules. 

With a text in place, focus now shifts from what the regulation comprises to what it will take to become compliant in time for the 2018 deadline.

In the UK, the Information Commissioner’s Office (ICO) has advised businesses of all sizes to put the wheels in motion as soon as possible, with the formerCommissioner, Christopher Graham, encouraging a subservient approach last year:

“People have never been so aware of what their personal data is, and never cared so much about how it is used. The law is changing to reflect that.

“The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades. Organisations simply cannot afford to fall behind. We know data protection officers understand this, and we know they sometimes find their views ignored in the boardroom. The new law gives directors 20 million reasons to start listening.”

Those 20 million reasons refer to the eye-watering, maximum financial penalty (€) the new regulations will slap on any business seen to breach compliance, and have been enough to shake many leaders into action. However, a key question remains: what is actually required to become compliant over the coming two years? The ICO has issued the following (updated) 12 step plan to try and bring more clarity to the situation:

1.Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

3. Communication privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

4. Individuals’ rights

You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

6. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

8. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

9. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

11. Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organsation’s structure and governance arrangements.

12. International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

The good news is most businesses will already have the vehicles in place to meet these requirements. However, a methodical approach will be necessary at each stage to ensure that nothing gets missed.

The Federation of European Direct and Interactive Marketing (FEDMA) provides some useful tips in its report, General Data Protection Regulation Mythbuster & FAQ, including some crucial guidance for the following:

• You need to assess your requirement for having a Data Protection Officer
  “The obligation to have a Data Protection Officer is not dependent on the size of the organisation but on its activities. Where an organisation’s core activities involve “regular and systematic monitoring of data subject on a large scale” or processing a “significant amount of special categories of data (sensitive personal data)”, the organisation must designate a Data Protection Officer.”
  Determining whether your organisation fits into this bracket is a key action to take, early into your GDPR assessment. While many organisations handling sensitive data will already have DPOs in place, some, such as mid-sized accountancy firms, may not. Establishing whether to appoint an internal DPO or an external consultant specialist will be a key decision. Crucially, this may be an enforcement for some organisations but the GDPR text specifies that it should also be a consideration for others.
   
• You need to do more than just review your privacy policies and privacy notices
  “New processes need to be developed. Furthermore, the accountability principle set up in the Regulation encourages organisations to take a new proactive approach to privacy in their daily data management in order to be able to demonstrate to national data protection authorities that they are compliant with the GDPR.”
  This proactivity will mean setting up processes that ensure the regular screening and querying of data used, especially permissions-based data.
   
• You need to address your processes for obtaining consent
  “The GDPR increases the standards for data protection, including the requirement that consent of an individual to data processing activities must be unambiguous. Consent cannot be implied from inaction but must be the result of a positive action by the individual. Consequently, marketers will have to review their way of collecting consent from individuals to receive communications.”
  And crucially, this review incorporates all channels of communication, whether they are digital or not.

This last component is arguably one of the most important. Many experts believe the GDPR is a practice is redefining what ‘consent’ means, in terms of data use. As mentioned previously, consent for use of consumer data must be a “freely given, specific and informed indication” of the data subject’s wishes.

When it comes to consent, many businesses will need to rethink their communicative process, and how they succinctly explain to their customers what data they plan to use, as well as how and why they plan to use it. Many organisations, including The Guardian and O2 are already testing new methods for approaching this part of GDPR, and it’s widely agreed that other businesses should be doing so too; as soon as possible. Whether you do or don’t may not ultimately determine whether your business is or isn’t GDPR compliant, come 2018. But it may well determine whether you’re a transparent and ethical business, in the eyes of your customers.