The first major post-Brexit speech delivered by the new Information Commission stressed the importance of preparing now for the coming changes in data protection regulation.
The GDPR is likely to become law on 25th May 2018 if Brexit is not achieved by then. Upon Brexit, it is likely that an equivalent to the GDPR will be adopted as UK law...so now is the time to act...
Please see our summary of the key messages from the ICO.
The ICO's 12 Steps to Take Now - Preparing for the GDPR is a useful way to start preparing.
Free GDPR Stress Test
For a free "GDPR Stress-Test" please email us at firstname.lastname@example.org or call 020 3691 5731.
To start, Protecture would recommend tackling the 12 steps in the following order:
Steps 1 and 11 - Awareness and Data Protection Officers
Ensure that your CEO and senior management are aware that the law is changing to the GDPR...and that someone senior is allocated responsibility for data protection compliance.
Step 10 - Data Protection by Design / by Default / Impact Assessments
Ensure any current or imminent projects involve the handling of personal information (e.g. changing CRM; moving data to the cloud; updating your website) sufficiently address data protection and privacy requirements - e.g. minimum data collection; retention and disposal; security.
Steps 2, 6, 7, 8, and 12 - Information Management (know the information you hold)
Review and document what personal data you collect and hold, where it came from, what you use it for and who you share it with. Define the legal basis for processing personal information - especially if you rely on consent. Ensure you are clear whether you hold personal data on children, and whether you (or your suppliers) transfer data internationally.
Steps 3, 4 and 5 - Individual Rights
Review your privacy notices to ensure you are as transparent as possible about your handling of personal information. Review your approach to processing Subject Access Requests and whether your systems are able to meet the new requirements for data erasure and data protability.
Step 9 - Data Breaches (and information security)
Review your approach to handling actual or suspected information security breaches - e.g. awareness-raising; internal reporting; when to report externally. Ensure your approach to information risk enables you to demonstrate the risk-based decisions you have taken.