The European Union General Data Protection Regulation (EU GDPR) is set to come into effect on the 25th of May 2018 and will strengthen the rights of individuals online, while creating significant obligations for businesses operating in an increasingly connected world.
The regulation applies to information which directly or indirectly identifies an individual, including customer lists, contact details, genetic/biometric data, and online identifiers like IP addresses.
We have outlined ten steps to help businesses prepare:
- The board should be accountable for data protection and ensure data protection risks receive ongoing attention and review from the C-suite.
- Perform a risk analysis on new projects to identify privacy risks and necessary mitigation measures and assess the appropriate technical and organisational measures required.
- Create a data-processing register detailing what data is held by the company, how it is stored and transferred, what it is used for and by whom.
- Classify personal information in terms of risk, to comply with data retention periods, and establish a procedure to erase data when the retention period has passed.
- Evaluate and actively manage existing contracts with third party service providers with whom you share personal data on an ongoing basis, to ensure they include all of the mandatory obligations prescribed by the EU GDPR.
- Establish, embed and test a procedure to handle personal data incidents.
- Increase the privacy-awareness of your employees.
- Ensure employees can recognise and respond appropriately to requests from data subjects seeking to exercise their rights under the EU GDPR (for example: right to object, right to be forgotten). Any processes for responding to such rights should be clearly documented and embedded into business practices.
- Determine and document whether your organisation should have a Data Protection Officer.
- Review and amend privacy statements and notices to meet the enhanced transparency requirements.