As you may know, the General Data Protection Regulation (GDPR), designed to harmonise data privacy laws across Europe and ensure protection of personal data of EU citizens, is due to come into force on 25th May 2018.
Over the past few weeks, we have received a few client enquiries about the GDPR and decided to put together a list of resources that might help you on your way to GDPR compliance.
GDPR Starting Point
The ICO has created the Guide to the General Data Protection Regulation (GDPR). The guide is a living document including links to relevant sections of the GDPR itself and to other guidance produced by ICO and EU’s Article 29 Working Party. In order to comply with the regulation, ICO recommends the marketers take the following 12 steps:
The first and most startling point is that only 35% of 1,236 respondents to Kantar TNS’ first GDPR Awareness Index have heard of the regulation. Moreover, they have poor understanding what it covers, as reported by the Research Live on 30th January 2018. This is alarming as the regulation start date is fast approaching. ICO recommends that major stakeholders within your business are informed about the regulation.
Information you hold
Secondly, ICO recommends to create an internal audit of information your company holds. It should contain material on where the data came from and who you share it with. ICO provides a set of documentation templates for Data Controllers and Processors to help you document your processing activities.
Communicating privacy information
ICO recommends to check your procedures regarding rights individuals have. Furthermore, make sure to include removal requests of their personal data in the review. If you would like to find out more about the rights of the data subject, Chapter 3 of the regulation is solely dedicated to this matter.
Subject access requests
There are new timescales imposed by the GDPR on when to respond to requests regarding personal data. Therefore, ICO recommends to review internal procedures to comply with the new timescales.
Lawful basis for processing personal data
When it comes to the lawful basis for your processing activity, ICO recommends you identify this within your business. You might need to update your privacy notice to reflect the explanation in-line with the GDPR. ICO discusses the subject access request in more detail on their website.
Generally speaking, obtaining consent will become stricter under the GDPR. ICO recommends to review your current method of seeking consent and changing this, if necessary. Companies that you work with might also be preparing for the regulation and amending their policy statements. Some businesses, such as Google, might inform you about their consent policy changes proactively, while some might hold off. With this in mind, you ought to ensure you’re aware of these changes.
Regarding personal data of children, ICO recommends you think about whether you need to put systems in place to verify individuals’ ages. You might need to obtain parental or guardian consent for any data you process or hold.
ICO suggests to ensure the right procedures are in place to detect, report and investigate a personal data breach. Bear in mind that ICO as well as individuals might need to be contacted depending on the type of breach. In the case of a personal data breach, where feasible, the Controller will be responsible to notify the personal data breach to the supervisory authority competent in accordance with Article 55 within 72 hours.
Data Protection by Design and Data Protection Impact Assessments
The GDPR will make privacy by design an express legal requirement. This impacts the way systems and technology should be designed, according to PwC. Therefore, ICO recommends to assess the situations where it will be necessary for you to conduct a Data Privacy Impact Assessment (DPIA).
Data Protection Officers
In terms of who will be responsible for data protection compliance within your business, ICO recommends that you designate a Data Protection Officer. In the light of this, IT Governance explains the role of the data protection officer in more depth.
Lastly, if your company operates in more than one EU member state, ICO recommends to determine your lead data protection supervisory authority and document this. The authority will be the one located where your main establishment is. More information on how to identify a controller or processor’s lead supervisory authority is accessible within the Article 29 Data Protection Working Party.
GDPR Checklists for Data Controllers & Data Processors
After reading through the 12 steps guide and putting procedures in place to comply with the GDPR, you can fill in the ICO GDPR checklists. By doing this, you will be able to assess your preparedness as the Controller and / or Processor.
GDPR Comprehensive List of Marketing Material & References
Finally, the Econsultancy article ‘All the GDPR resources marketers need, in one place’ is a really helpful resource which encompasses most GDPR advice in an accessible, easily comprehensible and convenient way.
The information contained within this blog post does not in any way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.