GDPR Checklist: 10 top tips to ensure your business is prepared
Does your business store and process personal data? If so, whether it is data on clients or staff, the GDPR will be applicable. Please see our article on GDPR for more information.
Our practical checklist is a good place to start getting ready.
- Promote awareness
The regulation comes into effect on 25 May 2018 and compliance is mandatory from this date. Key decision makers within your business, including those responsible for budgets, need to be aware of the regulation and its implications and start planning now.
- Appoint a Data Protection Officer (DPO)
Although not compulsory for smaller businesses it is still worth considering appointing a DPO. It may also be worthwhile establishing a GDPR committee.
- Carry out an audit
All businesses need to ascertain what personal data they currently hold, where such information has originated from, and with whom it is shared. An audit will also help identify where existing practices fall short of requirements under the GDPR.
- Train staff early
All staff should be properly trained in order to minimise the likelihood of any breach.
- Keep records
Businesses need to keep written records in order to evidence how they are compliant with the accountability principle, a central concept of the GDPR.
- Update Privacy Notices
The Data Protection Act 1998 requires businesses to provide certain information to individuals including the identity of the business and intended use of the information. This is often given in the form of a Privacy Notice. The GDPR extends the required information to be given to an employee, for example the retention periods of personal data. Privacy Notices should be reviewed and updated.
- Be clear on Consent
It must be as easy for an individual to withdraw their consent as it was to provide it in the first place. Businesses will need to carefully review their existing procedures and forms in relation to consent to ensure they are compliant with the GDPR.
- Review data protection policies
Employers will need to review and likely update their existing contracts of employment, Terms & Conditions and data protection policies to ensure they are compliant with the GDPR.
- Data Protection Impact Assessments (DPIA)
DPIAs will be mandatory when planning a new initiative, particularly if that involves new technologies and if it involves “high risk” data processing activities. Monitoring individuals or processing special categories of personal data are likely to be high risk.
- Regularly check for updates
Some details of the GDPR are still being finalised. The ICO publish monthly updates on their website www.ico.org.uk and we would therefore advise you to check this on a regular basis for up to date guidance.
The above list serves only as a handful of practical tips that employers should consider taking before May 2018. However, given the enormity of the GDPR, this list by no means addresses all areas of change which will continue to evolve.
Businesses that have taken all possible steps to address all cyber security threats will be in a better position to successfully defend against a claim.
We will be pleased to help you with any queries you should have on this complicated area and will keep you posted as new information becomes available.