Blog

Are all the decision makers and key people in your organisation aware the law is changing on 25^th May 2018? Do they understand the impact it will have on your business, the process changes and implications if they fail to meet the new regulations?

Have you documented what personal data you already hold, where it came from and who you share it with? If necessary, have you carried out an audit to ensure you have all the necessary records for the information you hold?

Have you reviewed and changed all your privacy notices to ensure compliance with the GDPR?

Have you reviewed and altered your procedures to ensure they cover all the new rights individuals have? There are eight key individual rights, ranging from the right to be forgotten through to portability.

Have you updated your procedures for handling requests for personal data within the new timescales as well as to provide that data electronically and in a commonly used format?

Have you identified the lawful basis upon which you will carry out data processing activities? There are six possible bases and yours must be documented and included in your privacy notice.

Have you reviewed and made the necessary changes to how you seek, manage and record consent? Have you also refreshed your existing consents to meet GDPR standards?

Most likely not relevant to the automotive industry, but the ICO has asked organisations to review whether systems are necessary to verify individuals’ ages and how parental or guardian consent is obtained for any data processing activity.

Have you put procedures in place to detect, report and investigate a personal data breach?

Have you familiarised yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party? The latest updates can be found here.

Have you determined whether you are required to formally designate a DPO? If so, have you designated someone in your organisation to take responsibility for data protection compliance and assessed where this role will sit within your organisation’s structure and governance arrangements?

If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), have you determined your lead data protection supervisory authority?