The ICO has published its “12 steps to take now” guidance. This sets out the following areas that businesses need to consider before the regulations come into force on the 25th of May 2018:
- Awareness – let the relevant people in your organisation know that the law is changing
- Information audit – check what data you hold and who you share it with
- Privacy information – check your current privacy notices and make a plan for change
- Individuals’ rights – check how you currently comply with individuals’ rights e.g. complying with a subject access request or deleting personal data
- Subject access requests – plan how you will make changes to the process when the new law is here
- Lawful basis – check you have a lawful basis for processing data. Employers who process data for employment purposes are likely to be able to rely on the lawful basis of “performance of a contract” for most data processing, but potentially not all processing
- Consent – review how you obtain consent for processing data
- Children – reviewing procedures for verifying ages and obtaining parental/guardian consent (not likely to have a great impact on the area of employment)
- Data breaches – review how you would notify a breach
- Impact assessments – consider how to implement data protection impact assessments
- Data Protection Officer – do you need a DPO? Who will ensure your compliance with GDPR?
- International – If you operate in more than one member state, determine a lead data protection supervisory authority.