No matter what industry you work in, GDPR should be top of mind right now. Yet despite the constant coverage there still seems to be a lot of confusion surrounding it.
So what is GDPR?
Simply put, the GDPR is the first Data Protection Law to come out of the European Union and gives greater protection and rights to individuals.
What do you need to know?
If you handle personal data, or sensitive personal data, you need to know your legal obligations when doing so. Personal data is any identifiable data – from a name to an IP address. Sensitive personal data is religious and political views, sexual orientation and more.
The ICO says “If you are currently subject to the Data Protection Act, it is likely that you will also be the subject to the GDPR”
12 Steps to Take Now
- Decision makers & key people need to be aware the law is changing to GDPR.
- Document all personal data you hold, where it came from & who you share it with.
- Review current privacy notices and plan any necessary changes.
- Ensure procedures cover all rights individuals have.
- Plan how you will handle subject access requests and update procedures.
- Identify your lawful basis for processing personal data and update your privacy notices.
- Review and update how you seek, record and manage consent.
- Think about putting systems in place to verify age and obtain consent from parents or guardians.
- Make sure you have the right systems in place to detect, report & investigate a breach.
- Familiarise yourself with the ICO Code of Practices and latest guidance from Article 29 and how you implement it in your organisation.
- Consider whether you need to formally designate a Data Protection Officer, if so, assess where this role fits in with your organisations structure and designate someone to take responsibility.
- If your organisation operates in more than one EU member state, you should determine your lead Data Protection Supervisory Authority.
The ICO has established clear guidlines, as well as some helpful myth-busting facts to help you navigate GDPR.