Partner, Maureen Daly, recently wrote an article for Business Plus on what businesses need to know ahead of the new General Data Protection Regulations which are coming into place soon. Read the original article here or below.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and it has real obligations for all businesses that hold data about individuals. But there is no need to panic and it is not too late to start your GDPR preparations. Here are five key steps to take to ensure your business is GDPR-compliant.
1. Carry out a data audit
Document what personal data you hold, where it came from, why it was originally gathered, how long you will retain it, how secure it is and who you share it with. You should identify (and document) the basis (under law) for your processing personal data. You will also need to keep a record of your data-processing activities, which must be provided to the Data Protection Commissioner (DPC) on request.
2. Review policies and privacy notes
Review your policies and privacy notices in order to address the additional information requirements that are necessary under the GDPR. Information must be provided in concise, easy-to-understand and clear language.
3. Review procedures
Review your procedures to ensure that they cover all the rights individuals have under the GDPR, including how you would delete personal data or provide data electronically and in a commonly used format, if requested. Plan how you will deal with requests from individuals (eg seeking access to or deletion of their data). Review how you seek, record and manage consent, and whether you need to make any changes to this process.
You are not required to refresh all existing consents, but if you rely on consent to process personal data, you should ensure that it meets the GDPR standard on being freely given, specific, informed, unambiguous and in plain language. If you offer online services to children and rely on consent to collect information about them, then you may need consent from a parent/guardian in order to process the child’s personal data lawfully. The consent has to be verifiable and your privacy notice must be written in language that children will understand.
Consider whether you need to appoint a Data Protection Officer. Even if you conclude that you do not need to appoint one, you should still identify a person who is responsible for the business’s data protection compliance. Be careful not to designate that person as a DPO, as this will result in additional GDPR compliance requirements.
4. Prepare an incident report plan
Review your procedures to ensure that you can detect, report and investigate personal data breaches. You should have a data breach incident response procedure in place and ensure it is implemented and tested, as it will need to be live by 25 May 2018.
5. Suppliers, training and cross-border
Review your arrangements with suppliers, as it may be necessary to make contractual amendments to comply with the GDPR. Your employees should also be made fully aware of the GDPR and should be trained in the application of any new policies.
If your business operates in more than one EU member state, you should map out where your business makes its most significant decisions about its data-processing activities. This will help to determine your ‘main establishment’ and which supervisory authority will be your lead supervisory authority, who will deal with all queries and complaints regarding cross-border processing. This should be documented.