Our key decision makers are aware that the law is changing and appreciate the impact this is likely to have.
2 / 12
Documentation has been gathered to formally identify what data we hold, where it came from and who we share it with.
3 / 12
Communicating privacy information
Planned reviews of our current privacy notices to enable us to put a plan in place for making any necessary changes before May 2018.
4 / 12
Our procedures have been updated to ensure they cover all the rights individuals have, including how personal data can be provided and deleted electronically and in a commonly used format.
5 / 12
Subject access requests
Updated our procedures and have planned how we will handle requests within the new timescales and provide the additional information.
6 / 12
Lawful basis for processing personal data
We have identified the lawful basis for processing activity in the GDPR and our in the process of documenting it and updating our privacy notice to explain it.
7 / 12
We have reviewed how we seek, record and manage consent and have amended our development pipeline to ensure our existing consents meet the GDPR standard.
8 / 12
It is important to think about whether we need to put a system in place to verify individuals' ages and to obtain consent for any data processing activity.
9 / 12
We have ensured that we have the correct procedures in place to detect, report and investigate any personal data breach.
10 / 12
Data Protection by Design and Data Protection Impact Assessments
We have familiarised ourselves with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and have planned out how and when to implement them into the organisation.
11 / 12
Data Protection Officers
We are in the process of assessing whether an employee should take responsibility for data protection compliance and whether this role sits within the organisation or with a government agency.
12 / 12
As we expand and grow further into the EU, we have decided to determine a lead data protection supervisory authority by using the Article 29 Working Party guidelines.
GDPR is the biggest overhaul of data protection laws in more than two decades but Elizabeth Denham, the UK's Information Commissioner, has called it an "evolution" rather than a complete "revolution".
For businesses and organisations which already comply with the UK's current data protection law many things will stay the same but GDPR will bring in some new obligations. You can see WIRED's guide to GDPR in the UK here.
Make sure employees know about the GDPR
Information commissioner Denham has said her office will be more lenient on businesses and organisations, who have fallen foul of GDPR, if they have shown "awareness" of it. This means if decision-makers know about GDPR and are taking steps to meet its obligations, their organisations are less likely to be fined – if the ICO goes down that route.
Check individuals' rights
Under GDPR, the rights of individuals are clearly defined. There are eight of them and they include a right to access, a right to be informed, and a right to object. Largely, the eight rights build upon abilities individuals already have but there are some new ones as well. These include the right to data portability. Businesses and organisations should check that they comply with existing rights and determine whether they need to make any changes for the enforcement of GDPR.
Update privacy notices
The UK's current data protection law – the 1998 Act – requires privacy notices to be displayed whenever personal information is collected from a data subject. They're designed to inform a person who will be processing their information and why.
GDPR expands on the need for privacy notices: it introduces a greater transparency requirement and will likely result in companies needing to rewrite their published statements. This means fuller privacy notices, with greater detail, are required. A mock example can be found here.
Be prepared for potential data breaches
If a company loses or has personal information hacked in a data breach it must report it to its local data protection regulator if there's a risk to people's rights, the GDPR says.
This must be done no more than 72 hours after the organisation finds out about the data breach and moves away from non-compulsory data breach reporting in the UK. If there's a high risk to the rights of individuals by the data breach, the people impacted have to be told as well. This means businesses and organisations need to have processes in place to allow a data breach to be examined and properly researched.
The controllers and the processors respond to the supervisory authority, a public authority which must be established in each member State.
The supervisory authority is responsible for monitoring the application of the Regulation, in order to protect the fundamental rights and freedom of users in relation to processing.
It is the supervisory authority’s task to promote public awareness and understanding of the user’s risks, rules, safeguard and rights.
It is completely independent from the member State and only responds to the European Commission. Member States must provide the means for the supervisory authority to complete its tasks, but they cannot control their activities. The supervisory authority also deals with cases of infringement and may address fines or suspend data transfers if the Regulation is not complied with.
The processor is any individual, company or organisation that handles personal data. The processor responds to the data controller.
The controller is any company or organisation in charge of ensuring and documenting that the users’ data is processed in accordance to the Regulation.
Before the GDPR, only the controller was reliable for the handling of personal data and there were no consequences for processors in case of infringement. Now, the controller and processor are both responsible for the application of the Regulation and will both be held accountable in case of infringement. This radically changes the relationship between the two of them and will significantly contribute to the creation of a new business culture in the Union.