GDPR – General steps: What to do now?

Carry out an information audit. Look at how your organisation collects and uses information.

Where is data collected and stored?

Who is able to access this data?

What security measures do you currently have in place?

Raise awareness within your organisation.

Most employees will have some connection to personal data the organisation holds and processes.

Ensure they understand changes are coming, and the potential impact this could have on the business – and the potential penalties.

Make sure senior management is engaged in the process, and establish cross-functional teams to tackle the challenges.

Review your privacy policies and statements.

Look at what you currently tell users about how you use their data, and assess how far this goes to complying with the GDPR.

Assess your policies and procedures.

Do you have formal guidance in place on what to do if an individual wants to know what information you hold on them, or if you had a security breach?

Understanding the current situation will give you a foundation to put in place the required documentation.

Get in touch with your technology providers.

Compliance with the GDPR may require changes and amendments to your systems, with regard to how data isstored or secured.

Contact your suppliers to understandwhat steps they’re taking to become GDPR-compliant andsupport they’re offering their clients.

Find out whether you will need to appoint a data protection officer (DPO).

In certain circumstances, organisations will need to appoint a DPO (see below).

Look out for updated guidance.

The ICO and Article 29 Working Party will continue to produce advice and guidance on how to interpret and implement GDPR’s many provisions, so keep an eye out for updates.

Do we need a Data Protection Officer

Some organisations will need to appoint a data protection officer under GDPR. These are:

  • Public authorities
  • If they carry out large-scale systematic monitoring of individuals, or
  • If they carry out large-scale processing of ‘special’ categories of data (such as biometric data).
The DPO needs to:
  • Report to the highest level of management in the organisation
  • Operate independently (although, they can be an existing member of staff)
  • Have adequate resources to enable them to meet GDPR obligations.

The DPO’s role is to inform and advise the organisation about GDPR and data protection compliance, to monitor the organisations’ efforts and to act as the point of contact for supervisory authorities and individuals. While they don’t need professional qualifications, it’s expected they will have some professional experience and knowledge of data protection law.