Carry out an information audit. Look at how your organisation collects and uses information.
Where is data collected and stored?
Who is able to access this data?
What security measures do you currently have in place?
Raise awareness within your organisation.
Most employees will have some connection to personal data the organisation holds and processes.
Ensure they understand changes are coming, and the potential impact this could have on the business – and the potential penalties.
Make sure senior management is engaged in the process, and establish cross-functional teams to tackle the challenges.
Review your privacy policies and statements.
Look at what you currently tell users about how you use their data, and assess how far this goes to complying with the GDPR.
Assess your policies and procedures.
Do you have formal guidance in place on what to do if an individual wants to know what information you hold on them, or if you had a security breach?
Understanding the current situation will give you a foundation to put in place the required documentation.
Get in touch with your technology providers.
Compliance with the GDPR may require changes and amendments to your systems, with regard to how data isstored or secured.
Contact your suppliers to understandwhat steps they’re taking to become GDPR-compliant andsupport they’re offering their clients.
Find out whether you will need to appoint a data protection officer (DPO).
In certain circumstances, organisations will need to appoint a DPO (see below).
Look out for updated guidance.
The ICO and Article 29 Working Party will continue to produce advice and guidance on how to interpret and implement GDPR’s many provisions, so keep an eye out for updates.
The EU has tried to mitigate the impact of the GDPR on small businesses, additionally claiming the reform will cut costs and red tape for businesses
SMEs will not have to appoint a data protection officer, apart from where the organisation’s core business requires regular and systematic monitoring of data subjects on a large scale, or process special categories of data (such as racial or religious information).
SMEs will not have to keep records of processing activities, unless this is not occasional or likely to result in a risk for the rights and freedoms of data subjects.
SMEs will not have to report all data breaches to individuals, unless the breaches represent a high risk to rights and freedoms.
Do we need a Data Protection Officer
Some organisations will need to appoint a data protection officer under GDPR. These are:
- Public authorities
- If they carry out large-scale systematic monitoring of individuals, or
- If they carry out large-scale processing of ‘special’ categories of data (such as biometric data).
The DPO needs to:
- Report to the highest level of management in the organisation
- Operate independently (although, they can be an existing member of staff)
- Have adequate resources to enable them to meet GDPR obligations.
The DPO’s role is to inform and advise the organisation about GDPR and data protection compliance, to monitor the organisations’ efforts and to act as the point of contact for supervisory authorities and individuals. While they don’t need professional qualifications, it’s expected they will have some professional experience and knowledge of data protection law.