Key aspects to be aware of
Preparing for the GDPR is likely to take a significant amount of time and input from various stakeholders in your business. The following is intended to give you a non-exhaustive list of some key aspects to consider when preparing your business for the implementation of the GDPR. At Cripps Pemberton Greenish we have a team on hand to help with this process and would be happy to discuss how best we can assist you.
You should ensure that key stakeholders and decision makers in your business are aware of the changes which are coming as a result of the GDPR and appreciate the impact this is likely to have.
Where you have existing data protection policies or provide staff training on data protection, you should review these to ensure they are consistent with the revised obligations under the GDPR.
Data mapping and identifying areas of risk
In order to identify areas of your business which could put you at risk of non-compliance with the GDPR, the first step it to carry out a data mapping task where you identify and clearly document the flow of data across your business.
Accountability and governance
A key principle under the GDPR is accountability. This will require your business to clearly document your data processing activities and any related decision making. You should ensure that you have in place internal governance processes which will enable you to demonstrate how decisions to use personal data are taken and what factors are considered in making those decisions.
You should consider whether you are required to appoint a DPO and in any event you should identify who within your business will be responsible for compliance with the GDPR.
If you rely on the consent of the data subject for processing their personal data you will need to review such consent and ensure that it meets the new requirements under the GDPR (see the page on consent for further details).
You should consider whether you collect any personal data relating to children and whether you are compliant with the rules regarding the collection and use of such data.
You should carry out an audit of your existing privacy policies and where necessary update them to comply with the new requirements under the GDPR.
Where you receive personal data from third parties, you should work with those third parties to ensure that their privacy policies are updated as necessary.
Contracts with third parties
You should identify what contracts you have in place with third parties relating to the transfer of personal data (either where they transfer personal data to you or you transfer personal data to them) and consider whether those contracts need to be updated.
You should consider the extent to which the new obligations relating to data portability will relate to your business.
Where applicable you will need to consider what changes you need to make to your processes to enable you to comply with the data format obligations under the GDPR.
Subject access requests
You should review, and where necessary update, your procedures for handling subject access requests (for more information see “Subject Access Requests”). Given that under the GDPR the timescale to comply with such requests is being reduced from 40 days to one month, you should consider whether there are any logistical issues with having to deal with requests more quickly.
You could also consider whether it is possible to put in place systems that allow data subjects to access their information online.
International transfers of personal data
You should document the flow of personal data from / to countries outside of the UK and / or the EEA and identify what data transfer mechanisms you have in place for these transfers and whether they will continue to be appropriate under the GDPR (for more information see “International Data Transfers”).
Handling data breaches
You should consider what processes you have in place for identifying, recording and responding to data breaches (for more information see “Data Breaches”).