GDPR gives increased powers to regulatory authorities to act against data controllers and data processors who don’t comply with it.
Businesses of all sizes could be subject to fines of up to 4% of annual worldwide turnover or €20 million – whichever is greater!
Nearly all organisations will need to amend their existing privacy notices and terms.
Regulators will need to be notified of most data breaches within 72 hours!
The Information Commissioner’s Office suggests 12 steps you should take now:
1. You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. You should update your procedures and plan how you will handle subject access requests within the new timescales.
6. You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
7. You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
8. You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity of children.
9. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11. You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
12. If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
You should make sure NOW that decision makers and key people in your organisation are aware that the law is changing to the GDPR and appreciate the impact this is likely to have.
Implementing the GDPR could have significant resource implications and you may find compliance difficult if you leave your preparations until the last minute.
Ignoring the regulation until it becomes enforceable in 2018 could be a costly mistake.
GDPR Summit Series will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at www.gdprsummit.london
The GDPR Summit Series has been specifically designed for business generalists rather than data protection or privacy specialists and will provide delegates with a comprehensive picture of the new regulations and a practical understanding of the implications and legal requirements needed for compliance.
