The Complete 10 Step List to Prepare Your Business for GDPR

European Flag GDPR Mailjet

How do I prepare for GDPR?

Step 1 – Build Awareness of senior management

Ensure that the senior management teams are aware of GDPR and the likely impact on your organisation to guarantee internal buy-in.

Step 2 – Data status check and documentation

Check your current data status and document:

  • What personal data do you already hold?
  • Where did it come from and who have you shared it with?
  • Where are your vulnerabilities and where can you be held liable?
  • Where your data currently lives and classify this information.
  • How long this data is stored in your systems and when it can be deleted?

Step 3 – Privacy notices

Review your current privacy notices:

  • What updates are needed?
  • Embed privacy by design and default into all projects – don’t collect more personal data than you need, use anonymisation, pseudonymisation and encryption.

Step 4 – Data subjects’ rights

Check your current procedures to ensure you are able to deliver on all data subjects’ rights. The right to:

  • Be forgotten; be informed; have data deleted; a copy of their personal data (within a month, free of charge);
  • Right to data portability – data electronically in a commonly used format;
  • Right to prevent automated decisions and profiling;
  • Right to object.

Step 5 – Data subjects’ consent

Assess how you are seeking, obtaining and recording consent:

  • Are your records accurate, up to date and secure?
  • Do you have distinct, explicit consent for processing all personal data?
  • Do you need consent from a person holding parental responsibility? (children can give their own consent at 16, although it can be lowered at 13 for UK).

Step 6 – Data breaches management

Ensure you have appropriate procedures in place to detect, report and investigate any data breaches.

Step 7 – Data Protection by Design and Data Protection Impact Assessments

Familiarise yourself with DPIAs (Data Protection Impact Assessments) and work out when and how to implement these in your organisation (note: exemptions exist for small businesses and small-scale data usage).

  • Determine whether you need to appoint/contract a DPO (Data Protection Officer) who will be responsible for data protection compliance, acting independently and reporting to the highest levels of management.
  • Make sure your contracts for all third parties contain the new provisions.

Step 8 – Data Protection Officer

A DPO (Data Protection Officer) is a person – either an employee or an external consultant – who has formal responsibility for data protection compliance within a business. A DPO must be appointed if any of these conditions are met:

  • The relevant data processing activities are carried out by a public authority or body (where the definition of “public authority or body” is determined by each EU Member State);
  • The core activities of the relevant business involve regular and systematic monitoring of individual, on a large scale; or
  • The core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.

If the DPO is within you organization, as an employer you must:

  • Provide necessary resources to carry out his/her tasks and maintain his/her expert knowledge;
  • Provide access to personal data and processing operations;
  • Ensures he/she is involved in all issues relating to the protection of personal data;
  • Make his/her contact details available to the public and the supervisory authority.

Step 10 – Awareness of staff

Inform and educate your employees and personnel on the collection and treatment of all customers data.

 

Back to GDPR Summary.