Collaborate with the Board
Company Director’s and Officer’s buy-in is critical. This should occur at the outset of implementing GDPR compliance – they are ultimately responsible. Collaborate to allocate resources and create an official project plan which can be maintained for the future.
Audit data – Conduct a Data Protection Impact Assessment (DPIA)
Before implementing new safeguards and processes, conduct an audit. Understand how you collect and store personal data. Identify the risks of each data store and document potential mitigation steps.
Assign and educate
If applicable, appoint a Data Protection Officer (DPO) and where one is not required, appoint someone to be a Privacy and Compliance Manager (PACMAN). A PACMAN has limited legal responsibility compared to the DPO role. Train all staff on GDPR and your organisation’s security requirements. Ensure that you record all training, as this is valuable evidence which demonstrates that you take GDPR seriously.
Create access request processes
Update internal policies, technologies and operations to accommodate data subject requests. This includes the right to be forgotten, data portability and the subject’s right to receive data electronically in a common format. Create policies for access request refusal when requests are “manifestly unfounded or excessive” to protect you from abuse.
Identify lawful basis for data processing
Document your company’s lawful basis for collecting and processing both sensitive and non-sensitive personal data. Update Privacy notices accordingly. Address issues of consent, data profiling and child data subjects.
If your organisation meets the criteria of a data processor, update controller contracts to meet GDPR Article 28.
Create a recording of processing
Create, maintain and update all data processed in a sufficiently detailed record of processing. Include record-keeping and retention policies. Address and update security measures to meet requirements for risk mitigation.
Update privacy notices
Review privacy notices. Use clear language to tell the data subject what their rights are and how you intend to use their data.
Assess your consent processes
Where you rely on consent to process data, ensure you have a positive opt-in. You should make sure data subjects can withdraw their consent. Record this in your record of processing.
Implement an age-based policy if required
If needed, update consent language and processes for obtaining consent from children. If subjects are 16 or under, create processes for parental consent.
Address privacy by design
Clear and unambitious consent is required for you to store someone’s data. As an example, contact forms and checkboxes should not be pre-ticked or force users to consent to giving data when it isn’t necessary. Focus on helping the data subject and not
capturing their information. Document a policy of privacy by design and make this the default for your organisation.
Review breach policy
Establish and update policies and procedures for detecting, investigating and notifying subjects and authorities during a data breach. Under GDPR you have 72 hours to inform the Information Commissioners Office (ICO) of a breach. Have all staff trained in the process and document this as evidence.
Examine data export
Identify whether your data processing involves the export of data across borders outside of the European Economic Area. Identify your lead data protection supervisory authority (in the UK this is the ICO) and review and update mechanisms with Article 29 working party guidelines.
Update third-party contracts
Identify all contractor relationships that require agreement revision and update for compliance. Verify third-party contractors can comply with GDPR privacy by design requirements and select your business partners based on this.