The General Data Protection Regulation
The General Data Protection Regulation, or GPDR, is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU citizens.
It introduces new obligations and liabilities for all organisations that handle personal data and new rights for individuals in respect of their personal data. Organisations must comply with the new rules by 25 May 2018.
How to prepare for the GDPR
If you think your organisation may be impacted by the GDPR, now’s the time to start preparing. We highly recommend you seek legal advice to determine what may be required for your specific situation. However, there are a number of factors that all organisations should be considering.
Understanding your data
Protecting data properly means understanding how it’s treated in your organisation—how your personal data is handled, shared, and used. With this information, you can build your GDPR strategy in a way that works for your organisation, and allows you to use the data the way your business needs to.
Determining ownership and accountability
It’s important to identify a responsible owner for data protection compliance. For some organisations, this will mean appointing a data protection officer. The GDPR also introduces a new “accountability” principle that requires organisations to adopt a data protection compliance programme. In addition, you may need to develop internal data protection policies and provide staff training.
Ensuring a legal basis for processing
It makes sense to start determining and documenting what legal grounds you’re using for processing the different types of personal data you handle. If you’re using consent as a basis for processing, for example, you’ll need to consider how you obtain it and be able to clearly demonstrate how and when it’s been given.
Understanding the rights of data subjects
To ensure your procedures accommodate them, you will want to make sure you understand the new rights that people have in relation to their personal data. For example, data subjects will have the right to access their personal data, as well as have it corrected, erased, or ported electronically.
In certain circumstances, they’ll also have the right to object to automated decision-making and profiling.
Ensuring privacy by design
Privacy by design will become an explicit legal requirement for the first time, so it’s important to begin considering how to build it into your business processes. In some circumstances, conducting privacy impact assessments will also be necessary. It’s important to start planning how, when, and by whom these will be conducted.
Preparing for breach management
You’ll want to review and update your data breach management policies and processes. Detecting and reporting breaches to the correct authorities in a timely manner will be critical, as fines can be levied for reporting failures as well as for breaches.
Communicating essential information
Reviewing your online privacy policies and other notices will become important as the GDPR deadline nears. New requirements include detailing the legal basis for your processing and making users aware of the authority they can complain to if there’s a problem.
Working with your providers
Fulfilling GDPR obligations goes beyond your organisation’s own policies. Any third parties processing personal data on your behalf will also need to meet the necessary standards for data protection. Some questions you may want to ask your providers include: Do they have robust practices for network and information security, privacy, and data protection? Do they conform to internationally accepted standards and verify their compliance? How can they demonstrate a strong culture of trust and security? And what controls do they offer to help you manage your data and meet your obligations as a controller?