There are just two days until the General Data Protection Regulation (GDPR) becomes enforceable – on 25th May 2018. Based on the Information Commissioner’s Office (ICO) 12 step guide to prepare for the GDPR, here is a last minute checklist to ensure your business is compliant:
|What to check||Complete?|
Are all the decision makers and key people in your organisation aware the law is changing on 25th May 2018? Do they understand the impact it will have on your business, the process changes and implications if they fail to meet the new regulations?
|Information you hold
Have you documented what personal data you already hold, where it came from and who you share it with? If necessary, have you carried out an audit to ensure you have all the necessary records for the information you hold?
|Communicating privacy information
Have you reviewed and changed all your privacy notices to ensure compliance with the GDPR?
Have you reviewed and altered your procedures to ensure they cover all the new rights individuals have? There are eight key individual rights, ranging from the right to be forgotten through to portability.
|Subject access requirements
Have you updated your procedures for handling requests for personal data within the new timescales as well as to provide that data electronically and in a commonly used format?
|Lawful basis for processing data
Have you identified the lawful basis upon which you will carry out data processing activities? There are six possible bases and yours must be documented and included in your privacy notice.
Have you reviewed and made the necessary changes to how you seek, manage and record consent? Have you also refreshed your existing consents to meet GDPR standards?
Most likely not relevant to the automotive industry, but the ICO has asked organisations to review whether systems are necessary to verify individuals’ ages and how parental or guardian consent is obtained for any data processing activity.
Have you put procedures in place to detect, report and investigate a personal data breach?
|Data Protection by Design and Data Protection Impact Assessments
Have you familiarised yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party? The latest updates can be found here.
|Data Protection Officers (DPO)
Have you determined whether you are required to formally designate a DPO? If so, have you designated someone in your organisation to take responsibility for data protection compliance and assessed where this role will sit within your organisation’s structure and governance arrangements?
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), have you determined your lead data protection supervisory authority?
For further information on the GDPR, download our latest FREE eBook – GDPR: Is the automotive industry compliant?