Your GDPR checklist
It is now only three months until the General Data Protection Regulation goes live and local law firm, Warner Goodman are seeing an increasing number of requests for assistance in making businesses compliant. Geoffrey Sturgess, Consultant Solicitor, provides a useful checklist for businesses on how to ensure compliance with this revolutionary change to data protection regulations.
It is fair to say it is not an easy process to ensure compliance. Businesses now need to document what they do with personal data and demonstrate that it is lawful. GDPR (and its associated draft legislation) is unclear in many important respects.
The Information Commissioner’s Office (ICO) has much guidance on its website, but they too are waiting for guidance from Europe. It is therefore possible that systems and procedures adopted by business will need to be changed once more guidance is available.
We suggest the following process to achieve compliance:
- Get a general understanding of GDPR; attending a course will help achieve this and give you the opportunity to share best practice with fellow delegates. With a variety of courses available, it is important to ensure it is the right course for your business.
- Create a data “map” showing what personal data you process, where you get it from, what you do with it, how long you keep it and with whom you share it.
- Analyse the map in the context of GDPR and make changes to your data processing where necessary for compliance. Alternatively find “creative” interpretations of GDPR under which the processing is justified/legal.
- Create your “record” setting out what you do and how it is justified (lawful) under GDPR. You will also need records of consents obtained from data subjects.
- Engage with your third party data processors (eg your data host) and joint controllers to ensure that compliant processing contracts or joint controller “arrangements” are in place.
- Create any new documentation required, eg consent forms and notices to be provided to data subjects.
- Set up systems to ensure continuing compliance and (probably) appoint a Data Protection Officer.
- Ensure that you comply with your documented processes and procedures.
The points on this checklist will be time consuming, and businesses must be preparing now ahead of the implementation of GDPR on 25th May. We are currently running workshops for businesses on how to make these changes; more details of which can be found by contacting Alice Samuel at firstname.lastname@example.org. Alternatively, you can contact Geoffrey Sturgess on 02380 717424 or email email@example.com.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.