eu gdpr - 12 steps to compliance

SECURE CYBER UNLOCK OPPORTUNITY IRMSECURITY.COM

Revised EU General Data Protection Regulation

12 steps to compliance.

Paul Sexby, Head of Strategic Practice

September 2016

IRM


Whilst the GDPR does not come into force until April 2018, it is important that organisations are properly prepared for these changes in the context of operational need and business risk.


In order to address the requirements introduced in the revised regulation, consider these 12 steps for compliance…


The EU GDPR introduces changes and possible business impacts that all key stakeholders need to be conversant with.

Get properly briefed and armed with the facts to make accurate, informed and timely decisions.

1. EDUCATION & AWARENESS


Organisations are required to be able to demonstrate how they comply with the Data Protection Principles.

Ensure you are aware of the data you hold so you can provide details of the personal information you store, process and transmit.

2. ACCOUNTABILITY


3. LEGAL BASIS Individuals now have stronger rights that your business has to fulfil.

Be prepared to include ‘legal basis’ for processing within Privacy Notices and have a process in place to respond to Subject Access Requests.


Data Controllers must be able to demonstrate that ‘consent’ was given. This could have potentially huge implication for some organisations.

Maintain and retain an ‘audit trail’ and ‘history’ for the life of the data you hold to avoid business disruption.

4. CONSENT


Whilst this has been implicit within the current Data Protection Principles, the GDPR is explicit that this is a legal requirement.

Where high-risk processing takes place a Privacy Impact Assessment (PIA) will be required.

5. PRIVACY-BY-DESIGN


Where organisations are likely to struggle is with regards to having information deleted and in facilitating data portability; though these have to be taken into context with legal obligations and responsibilities to retain information in accordance with other legal and contractual needs.

Have a clearly defined Data Retention Policy and supporting processes to meet the policy.

6. INDIVIDUAL’S RIGHTS


Most organisations will have to revise their Privacy Notices to incorporate the obligations introduced within the GDPR to address elements such as the ‘legal basis’ for processing and defining data retention periods for personal information.

Make your Privacy notices CLEAR and UNAMBIGUOUS.

7. PRIVACY NOTICES


Internal business processes and procedures for handling SARs will undoubtedly need to be revised.

Most organisations will no longer be able to charge a fee to comply with an SAR, which will have to be processed within a month (rather than 40 days currently allowed).

8. SUBJECT ACCESS REQUESTS


The GDPR requires special protection in the form of ‘consent’ to process children’s personal information.

‘Consent’ has to be verifiable and where children’s data is collected ‘Privacy Notices’ must be written in a manner that children can, understand and comprehend.

9. CHILDREN


This notification is to data subjects and not necessarily the ICO/Regulator – unless there is the potential for identity theft or loss of confidentiality to the individual.

Create and exercise your Data Breach plan to reduce the impact and exposure in the event of a breach. Failure to report a breach could result in a fine - in addition to any penalty that might arise from the breach itself.

10. DATA BREACH NOTIFICATION


The latest iteration of the GDPR has stepped back from mandating that ALL organisations must have a DPO.

There is a requirement for “someone” to take ownership and responsibility for ensuring there is effective data protection compliance in place. Do not underestimate the time this functionality will require.

11. DATA PROTECTION OFFICER


In its simplistic terms, the ‘Lead Authority’ for investigating a complaint is determined according to where your organisation makes key business decisions regarding data processing; in some cases this may be outside the UK.

Be aware of the locations your data is processed and educate your organisation on the rules and regulations to prepare in the event of a breach.

12. INTERNATIONAL OPERATIONS


Organisations that wait for the changes to be finalised and implemented into National Law are unlikely to achieve the requirements in the time frames required.

This will potentially hand an advantage to your competitors.


FURTHERINFORMATION

+44 (0)1242 255200

[email protected]

Paul Sexby

Head of Strategic Practice

Prepare for the EU GDPR with IRM’s EU Data Protection Assessment

mailto:[email protected]

mailto:[email protected]

https://irmsecurity.com/consultancy/compliance/eu-data-protection-assessment/

eu gdpr - 12 steps to compliance

Data & Analytics