Stage 1 – Awareness
It is important that everyone who is a key person or decision maker is aware of GDPR and they need to appreciate that there could be many different compliance problems that need to be addressed. It may be that implementing GDPR takes a lot of time and money so it is best not to be left to the last minute.
Stage 2 – Information you hold
You will need to document what data you hold, where it came from and who you share it with. The personal data you hold must be correct and if you have shared incorrect personal data you will need to notify them so they can correct their records. The GDPR’s accountability principle requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
Stage 3 – Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data, you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR, there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in a concise easy to understand way with clear language.
Stage 4 – Individuals rights
You should check your procedures to ensure they cover all the rights individuals have including how you would delete personal data or provide data electronically and in a commonly used format. The main rights for individuals under the GDPR will be:
– subject access
– to have inaccuracies corrected
– to have information erased
– to prevent direct marketing
– to prevent automated decision making, profiling and data portability
Stage 5 – Subject access requests
The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
You will also need to provide some additional information to people making requests such as your data retention periods and the right to have inaccurate data corrected.
Stage 6 – Legal basis for processing personal data
You will need to look at the various types of data processing you carry out, identify your legal basis for carrying it out and make sure you document it. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. Again, you should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.