ICO publishes guide for preparing for the GDPR

The DMA recently attended the Information Commissioner’s Office (ICO) Data Protection Practitioner Conference 2016 where the ICO announced a new handy guide on how best to prepare for GDPR.

The ICO anticipates that the GDPR will be enforced from mid-2018. The final GDPR text has yet to be published and must be before the ICO can release its official guidance. This may not happen until June or July at the earliest.

In the guide the ICO says, “Over the next few months the ICO will set out its plans to produce new guidance and other tools to assist preparation. The Article 29 Working Party will also be producing guidance at European level. The ICO will also be working closely with trade associations and bodies representing the various sectors – you should also work closely with these bodies to share knowledge about implementation in your sector.”

The 12 steps apply with varying degrees to different organisations but are a great place to start on the road to GDPR compliance. They are summarised below:

Awareness

You should make sure all employees affected by GDPR are aware of the incoming changes and the likely impact.

Information you hold

Make a record of what personal data you hold about people, where it came from and who you have shared it with. An information audit may be necessary.

Communicating privacy information

Review your current privacy notices and be ready to make any changes contained in the GDPR. For example, new information requirements at the data collection stage.

Individual rights

Review your processes to ensure you are able to cover citizens’ rights. For example, the right to have their personal data deleted or rectified.

Subject access requests

Update your procedures and plan how you will handle requests within a month. If you need to refuse a vexatious subject access request you will need a policy in place to demonstrate why a request is malicious.

Legal basis for processing personal data

Identify and record the legal basis for your data processing activities.

Consent

“Consent has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity. If you rely on individuals’ consent to process their data, make sure it will meet the standards required by the GDPR.”

The GDPR asks that data controllers record when and how consent was given. Organisations must have adequate processes to ensure this information is accurately recorded.

Children

Do you have processes in place to verify a person’s age and where it is required the consent of a parent or guardian.

Data breaches

Make sure you have the right processes in place to report a data breach. See DMA guidance for more information.

Privacy by design and privacy impact assessments

Familiarise yourself with ICO guidance and begin carrying out privacy impact assessments.

Data protection officers

You should appoint a data protection officer, if required by the GDPR. Find out here if you will need to.

We are surveying members to find out what they are doing to prepare for the GDPR. You can take part here.