The UK Information Commissioner’s office has published a 12 step guide to help organisations prepare for the EU General Data Protection Regulation (GDPR). The guidance outlines 12 steps that organisations need to follow to ensure their processes, systems and policies comply with the new regulation.The ICO has indicated that it will set out its plans to produce new guidance and other tools to assist organisations to prepare for the GDPR over the next few months.
The ICO will also be working closely with trade associations and bodies representing the various sectors to facilitate sector based implementation of the GDPR.
Accountability is a key issue within the GDPR and organisations that process personal data must ensure that they have documented policies, procedures and processes articulating how they manage or comply with data protection requirements and legislation as an organisation. Data Controllers will no longer be required to register their processing activities with the ICO but will face strict requirements to maintain comprehensive records of their processing.
Some data controllers and processors will be required to designate a Data Protection Officer (DPO) as part of their accountability programme. This is particularly where the data controller or processor’s core activities consist of processing special categories of personal data on a large scale. The GDPR still imposes the burden for data protection on data controllers.
A lot of the work for organisations that wish to comply with the GDPR will go into reviewing data flows and determining lawful basis for each data flow and reviewing procedures for individuals’ rights to ensure they cover all the rights individuals have, including organisation’s procedure for deleting personal data ensuring that personal data can be provided electronically and in a commonly used format.
Organisations may also need to review arrangements for sharing data with other organisations to ensure contracts are fit for purpose and meet the requirements of the GDPR.
The GDPR contains more detailed requirements for the data controller-processor relationship. This means most data controllers will need to review their data processor contracts as data processors have additional duties under the GDPR and are liable for non-compliance with their contractual obligations or for acting outside the data processing authority granted by a controller.
ICO checklist is a good starting point for working out areas that your organisation may need to address to comply with GDPR. The ICO checklist effectively highlights the differences between the current Data Protection Act and the GDPR making it easier for organisations to identify gaps and areas of risk.
A copy of the GDPR guidance is available at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf