Don’t Panic… Prepare for GDPR

Disclaimer – We are not providing any legal advice or consultation pertaining to GDPR or other compliance issues. Please consult with your legal
teams and resources to ensure they are aware of their
obligations under applicable regulations.

With less than eight months to go until the General Data Protection Regulation (GDPR) comes in to force on May 25, 2018, it’s important to start planning your organisation’s approach and taking action.If your organisation fails to comply then you could end up facing heavy penalties of up to 20 million euros or 4% of your global annual turnover.

The overall purpose of GDPR is to give EU citizens more control over their personal data and have more control over how an organisation may use that data. Therefore, if you are marketing to an EU data subject, you MUST fully comply with the most comprehensive law coming into effect since the last 20 years.

What you can do to prepare

The first step would be to take a look at your organisations’ current data that is being obtained and customer contact practices. Review how these will need to be adjusted to comply with GDPR. The main thing to establish is that a consent trail exists so that it is clear what the customer has consented to be shared and when this was given.

Every country will have a Data Protection Authority (DPA) that will coordinate GDPR compliance; in the UK this is the Information Commissioners Office (ICO). Please see below a checklist (drawn from the United Kingdoms Information Commissioners Office) that can kick-start your organisations’ preparation for GDPR.

1. Awareness. Make sure that your executives and stakeholders understand what’s changing and the effect that it will have on your organisations’ operations and liabilities
2. Data. Have a thorough plan to document and categorise the personal data you have, where it came from, and who you share it with. You will be required to be accountable.
3. Privacy Notice. Review your privacy notice and align it with new GDPR rules.
4. Individuals Rights. People have enhanced rights such as to be forgotten, and new rights, such as data portability. Check your procedures, processes, and data formats to ensure that you can meet the new terms.
5. Subject Access Requests. You will have shorter timeframes to respond, and in most cases, you will not be able to charge for access. Update your procedures to meet the new terms.
6. A Legal Basis for Processing Personal Data. You will need to document your legal basis for processing personal data in your privacy notice and other places.
7. Consent. Review how you obtain and record consent; you will be required to document this. It must be a positive indication; it cannot be inferred. Make sure you have an audit trail.
8. Children. There will be new safeguards for childrens’ data. Put systems in place to verify individuals ages and to gather parental or guardian consent for the data processing activity.
9. Data Breaches. New breach notification rules and new fines will affect many organisations. Make sure you know how you will detect, report, and investigate personal data breaches.
10. Privacy by Design. A privacy by design and data minimisation approach will come and express legal requirement. Plan now how you will meet the new terms.
11. Data Protection Officers. Your organisation may need to designate a Data Protection Officer. Know who will take responsibility for compliance, and how their role will be positioned.
12. International. If your organisation operates internationally, determine which data protection supervisory authority you come under (in the UK, this would be the ICO). If you have multiple sites where decisions about data processing are made, this may be a complex answer.

Some parts of the GDPR will have more of an impact for certain organisations, therefore it would be useful to map out which parts of the GDPR will have the greatest influence on your business model and give those areas a high priority in your planning process.