GDPR: Getting Prepared
Comes into force 25th May 2018
What you need to know
On 25th May this year, the most important change
to data privacy regulation in 20 years will come into effect. The EU
General Data Protection Regulation (GDPR) will replace the previous Data
Protection Directive and organisations which do not comply could be susceptible to
The GDPR will impose greater legally binding
obligations on organisations. Data Protection training will be mandatory,
a Data Protection Officer appointed in most cases, financial penalties
increased to €100 million and more comprehensive rights afforded to data subjects.
Download our GDPR Guide
The IPM have created a guide, exclusively for IPM Members to ensure your organisation is GDPR compliant. In the guide, we provide helpful information, details of the changes to data privacy regulation and steps to help you prepare.
The ICO's recommended steps
Commissioner’s Office (ICO) have provided the following 12 recommended steps to
becoming GDPR compliant. For more information, visit the ICO website.
Make sure that decision makers and key people in your
organisation are aware that the law is changing to the GDPR. They need to
appreciate the impact this is likely to have and identify areas that could
cause compliance problems under the GDPR.
Document what personal data you hold, where it came from and who you share
it with. You may need to organise an information audit across the organisation
or within particular business areas.
Review your current privacy notices and put a plan in
place for making any necessary changes in time for GDPR implementation.
Check your procedures to ensure they cover all the rights individuals have,
including how you would delete personal data or provide data electronically and
in a commonly used format.
- Subject access requests
Update your procedures and plan how you will handle
requests to take account of the new rules.
- Lawful basis for processing personal data
Identify the lawful basis for your processing activity
in the GDPR, document it and update your privacy notice to explain it.
Review how you seek, record and manage consent from individuals and
whether you need to make any changes. Refresh existing consents now if they
don’t, or may not, meet the GDPR standard.
Start thinking now about whether you need to put systems in place to verify
individuals’ ages and to obtain parental or guardian consent for any data
- Data breaches
Make sure you have the right procedures in place to detect, report and
investigate a personal data breach.
- Data Protection by Design and Data
Protection Impact Assessments
It has always been good practice to adopt a privacy by design approach and
to carry out a Privacy Impact Assessment (PIA) as part of this. However, the
GDPR makes privacy by design an express legal requirement, under the term ‘data
protection by design and by default’. It also makes PIAs – referred to as ‘Data
Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
- Data Protection Officers
Designate someone to take responsibility for data
protection compliance and assess where this role will sit within your
organisation’s structure and governance arrangements.
If your organisation operates in more than one EU member state, you should
determine your lead data protection supervisory authority and document this.