by | May 15, 2018 | links

Awareness is the first step to prepare for the General Data Protection Regulation (GDPR). Make sure decision-makers and key people in your organisation know that the law is changing. They need to appreciate the impact this could have and identify areas that could cause compliance problems.

Information you hold should be documented, including personal data, where it came from, and who you share it with. Organisations need to organise an information audit or speak to a data protection officer (DPO) if one exists.

Individuals’ rights should be checked. These include having inaccuracies corrected and providing data electronically in a commonly used format.

Privacy information should be reviewed and, where necessary, updated. When collecting personal data, you should provide information such as your lawful basis for processing the data and the data retention periods.

Procedures should be in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting your lead data protection supervisory authority if your organisation operates in more than one EU member state.

Children should be protected. Systems should verify individuals’ ages and gather parental or guardian consent for data processing activity.

Data Protection by Design and Data Protection Impact Assessments should be familiar to you. You should work out how and when to implement them in your organisation.

Consent should be reviewed. It should be freely given, specific, informed and unambiguous. There should be a positive opt-in, consent requests should be separate from other terms and conditions, and there should be a simple way for people to withdraw consent.

Data Protection Officers should be designated to take responsibility for data protection compliance. You should decide where this role will sit within your organisation’s structure and governance arrangements.

International organisations should identify which data protection supervisory authority they come under in the GDPR.

Go to source article: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf