- Build Awareness of senior management
- Data status check and documentation
- Privacy notices
- Data subjects’ rights
- Data subjects’ consent
- Data breaches management
- Data Protection by Design and Data Protection Impact Assessments
- Data Protection Officer
- Third Party Solution providers
- Awareness of staff
Step 1 – Build Awareness of senior management
Ensure that the senior management teams are aware of GDPR and the likely impact on your organisation to guarantee internal buy-in.
Step 2 – Data status check and documentation
Check your current data status and document:
- What personal data do you already hold?
- Where did it come from and who have you shared it with?
- Where are your vulnerabilities and where can you be held liable?
- Where your data currently lives and classify this information.
- How long this data is stored in your systems and when it can be deleted?
Step 3 – Privacy notices
Review your current privacy notices:
- What updates are needed?
- Embed privacy by design and default into all projects – don’t collect more personal data than you need, use anonymisation, pseudonymisation and encryption.
Step 4 – Data subjects’ rights
Check your current procedures to ensure you are able to deliver on all data subjects’ rights. The right to:
- Be forgotten; be informed; have data deleted; a copy of their personal data (within a month, free of charge);
- Right to data portability – data electronically in a commonly used format;
- Right to prevent automated decisions and profiling;
- Right to object.
Step 5 – Data subjects’ consent
Assess how you are seeking, obtaining and recording consent:
- Are your records accurate, up to date and secure?
- Do you have distinct, explicit consent for processing all personal data?
- Do you need consent from a person holding parental responsibility? (children can give their own consent at 16, although it can be lowered at 13 for UK).
Step 6 – Data breaches management
Ensure you have appropriate procedures in place to detect, report and investigate any data breaches.
Step 7 – Data Protection by Design and Data Protection Impact Assessments
Familiarise yourself with DPIAs (Data Protection Impact Assessments) and work out when and how to implement these in your organisation (note: exemptions exist for small businesses and small-scale data usage).
- Determine whether you need to appoint/contract a DPO (Data Protection Officer) who will be responsible for data protection compliance, acting independently and reporting to the highest levels of management.
- Make sure your contracts for all third parties contain the new provisions.
Step 8 – Data Protection Officer
A DPO (Data Protection Officer) is a person – either an employee or an external consultant – who has formal responsibility for data protection compliance within a business. A DPO must be appointed if any of these conditions are met:
- The relevant data processing activities are carried out by a public authority or body (where the definition of “public authority or body” is determined by each EU Member State);
- The core activities of the relevant business involve regular and systematic monitoring of individual, on a large scale; or
- The core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.
If the DPO is within you organization, as an employer you must:
- Provide necessary resources to carry out his/her tasks and maintain his/her expert knowledge;
- Provide access to personal data and processing operations;
- Ensures he/she is involved in all issues relating to the protection of personal data;
- Make his/her contact details available to the public and the supervisory authority.
Step 9 – Third Party Solution providers
More information on GDPR and Third Party Solution providers.
Step 10 – Awareness of staff
Inform and educate your employees and personnel on the collection and treatment of all customers data.