Image

- 90 percent of those businesses represented by the 40+ luncheon attendees had not started any form of preparation for the GDPR and had no immediate plan to do so.
- A large portion of those attending believed that the business they represented would wait to see how GDPR would handle the first instance of a breach. Many believe the threat of fines up to four percent of annual turnover is exactly that – just a threat – while many more questioned how these regulations and fines could be enforced against China and other countries outside the EU.
- Awareness – Ensure that decision-makers and key members of the organisation are aware that the law is changing and that they appreciate the estimated impact to the business in terms of policy, process, time, resources and potential fines for non-compliance.
- Information Held – Audit and document what personal data is held within the organisation or by third-parties on behalf of the organisation. Understand the information flow, including where it came from, how it’s protected and with whom it's shared.
- Communicating Privacy Information – Review current privacy notices and create a plan that highlights any necessary changes before the GDPR takes effect.
- Individuals’ Rights – Review procedures to ensure organisations address all of the rights that individuals will have under the GDPR:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
- Subject Access Requests – Update procedures, plan how to handle requests within the new time frames, and provide the requested information.
- Legal Basis for Processing – Review data-processing activities, as well as identify and document the legal justification for each type of activity.
- Consent – Review how the organization seeks, obtains and records consent. Also, consider whether any changes are required.
- Children – Consider implementing new systems to verify individuals’ ages and to gather, where necessary, parental or guardian consent.
- Data Breaches – Make sure appropriate procedures are in place to detect, report and investigate data breaches within the new time limits.
- DP by Design and DPIAs – Become familiar with ICO guidance on Privacy Impact Assessments and determine how and when they should be implemented.
- DPO – Designate a Data Protection Officer, if required. Determine where the role will sit within the organization’s structure and governance arrangements.
- International – If the organisation operates internationally, determine which data protection supervisory authority will be responsible for its regulation.