The Information Commissioner’s Office (ICO) has issued a 12-point checklist in order to ensure compliance with the General Data Protection Regulation (GDPR). Whilst the earliest the GDPR will become law is 2018, the ICO points out that you need to consider what changes you will need to make now.
The steps are:
1/ Awareness,
2/ Information you hold,
3/ Communicating privacy information,
4/ Individuals’ rights,
5/ Subject access requests,
6/ Legal basis for processing data,
7/ Consent,
8/ Children,
9/ Data breaches,
10/ Data protection by design,
11/ Data Protection Officers,
12/ International.
The list looks daunting at first glance. It will seem a bit worse when, as you should, you read the whole of the document on the ICO’s website, https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12-steps.pdf but things are not as bad as it might appear at first sight.
For instance, much of the GDPR builds on current regulations and its intent is to bring all legislation under one regulation. If you comply with the current laws then much of your work is already done. That’s not to say you can relax.
Some of the parts might not relate to you current business model. For instance, 8/ Children and 12/ International. If you are happy that you will not expand into these areas then there’s less work for you.
The most revealing aspect of the GDPR is 10/, which in full is Data Protection by Design and Data Protection Impact Assessments. I don’t like catch phrases, especially long-winded ones but this one encapsulates the ethos behind the regulation. You will need to assess whether there is a call for Data Privacy Impact Assessments in your business, although there will be few where it doesn’t apply.
You might think that you have plenty of time. After all, a lot can happen in two years. However, the point is that from a business perspective, a lot must happen in your company. The GDPR is big on documentation, particularly for Data Officers and Processors. On that aspect alone you will need to consider training, computer systems, security, costs and more.
Read the ICO’s guidance. We will come back to the specifics in more detail in future.