The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It requires greater transparency from those who process personal data and provides individuals (also known as data subjects) with enhanced rights when it comes to the handling of their information.
As every company is likely to hold some personal data, irrespective of the sector in which the business operate, Gateley Plc has produced a guide setting out seven steps that directors should consider taking to ensure their company is ready to comply with the new requirements:
- Establish a team – Put together a specialist team tasked with ensuring GDPR compliance.
- Undertake a data-mapping exercise – To ensure your organisation is ready to comply with the new requirements.
- Processing notices – Businesses should consider the legal basis for processing personal data.
- Update consents (if needed) – Where consent is required, the data subject must have freely given specific, informed, unambiguous consent for the personal data to be processed in a specific way.
- Assess internal processes – The internal processes of the business should be reviewed to ascertain whether or not they are reliable and provide the required level of governance and functionality under the GDPR.
- Embed data protection by design and default – Any new business practices or processes that are to be adopted by the board must have data protection elements integrated from the outset.
- Governance – Robust internal governance is required to ensure that data protection is integral to the way an organisation operates and that breaches are dealt with appropriately and efficiently.