SlideShare a Scribd company logo

12 steps to prepare for GDPR

Gary Chambers
Gary Chambers

The document provides a 12 step checklist from the Information Commissioner's Office (ICO) to help organizations prepare for the General Data Protection Regulation (GDPR) which comes into effect in May 2018. The checklist covers areas like awareness of the law, communicating privacy information, individuals' rights, subject access requests, lawful basis for processing data, consent, children's data, data breaches, data protection impact assessments, data protection officers, and international considerations. Going through the checklist allows organizations to map out which parts of the GDPR will most impact their business and create a plan to focus on compliance in key areas.

Business
1 of 6
Download to read offline
PIB Insurance Brokers present: 12 Steps to Prepare for GDPR
Presented by PIB Insurance Brokers On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU and across the United Kingdom. The GDPR replaces the Data Protection Act (DPA) and ushers in expanded rights to individuals and their data, and places greater obligations on businesses and other entities that process personal data. Many of the GDPR’s main concepts and principles are the same as those in the DPA, so if you are complying properly with the DPA much of your approach to compliance will remain valid under the GDPR and can be a starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. It is essential to plan your approach to GDPR compliance now and to gain buy-in from key people in your organisation. That is why PIB Insurance Brokers is here with guidance and a checklist from the Information Commissioner’s Office (ICO) to help you prepare for compliance in 2018. Compliance with all the areas listed in this checklist will require you to review your approach to governance and how you manage data protection. Use the following checklist to map out which parts of the GDPR will have the greatest impact on your business model, and create a plan to focus on those areas in your planning process. STEP 1: AWARENESS Make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the GDPR’s impact. YES NO ADDITIONAL NOTES Are the key decision makers at your organisation aware that the GDPR will force you to change the way you conduct business? Do the key decision makers know how the GDPR will affect your organisation? Do the key decision makers at your organisation know what the requirements of the GDPR are? Do the key decision makers at your organisation have a plan for how you will become GDPR compliant?
STEP 3: COMMUNICATING PRIVACY INFORMATION Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. YES NO ADDITIONAL NOTES Has your organisation reviewed its current privacy notices? Does your organisation have a plan in place for making necessary changes to your privacy notices? Does your organisation know what changes need to be made in order to comply with the GDPR? STEP 4: INDIVIDUALS’ RIGHTS Check your procedures to ensure they cover individuals’ rights, including how you would delete personal data or provide data electronically in a commonly used format. YES NO ADDITIONAL NOTES Do your procedures cover all the rights that individuals have under the GDPR? Do your procedures allow individuals to delete their personal data? When deleting personal data, would your systems help you locate and delete data? Who will make the decisions about deletion? Do your procedures provide individuals with their data electronically and in a commonly used format? STEP 5: SUBJECT ACCESS REQUESTS Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. YES NO ADDITIONAL NOTES Has your organisation updated its procedures for how you will handle subject access requests? Will your organisation be able to comply with subject access requests within one month, rather than the DPA’s 40 days? Does your organisation have a plan for how it will handle subject access requests? Is your organisation ready to refuse a request, which will involve you telling the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy? Will you be able to do this without undue delay, and within one month? Is your organisation able to provide additional information upon request about subject access?
STEP 6: LAWFUL BASIS FOR PROCESSING PERSONAL DATA Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. YES NO ADDITIONAL NOTES Has your organisation identified the lawful basis for your processing in the GDPR? Does your organisation have a method to document how you process personal data? Has your organisation updated your privacy notice to reflect the lawful basis for processing personal data? STEP 7: CONSENT Review how you seek, record and manage consent, and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. YES NO ADDITIONAL NOTES Has your organisation reviewed how it seeks consent? Has your organisation reviewed how it records consent? Has your organisation reviewed how it manages consent? Does your organisation need to make any changes in its process of obtaining consent? Does your organisation have simple ways for people to withdraw consent? Is your consent separate from other terms and conditions? Can your organisation’s existing consents be updated to meet the GDPR standard, meaning are they specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn? STEP 8: CHILDREN Think about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. YES NO ADDITIONAL NOTES Does your organisation have a system in place to verify individuals’ ages? Does your organisation have a system in place to obtain parental or guardian consent for any data processing activity?
STEP 9: DATA BREACHES Make sure you have the right procedures in place to detect, report and investigate a personal data breach. YES NO ADDITIONAL NOTES Does your organisation have a procedure in place to detect a personal data breach? Now that the GDPR introduces a duty on all organisations to report certain types of data breaches to the ICO, and, in some cases, to individuals, does your organisation have a procedure in place to report a personal data breach? Does your organisation have a procedure in place to investigate a personal data breach? Does your organisation need to assess the type of personal data it holds and document when it would be required to notify the ICO or affected individuals if a breach occurred? STEP 10: DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS Familiarise yourself with the ICO’s code of practice on privacy impact assessments as well as the latest guidance from the Article 29 Working Party, and figure out how and when to implement them in your organisation. YES NO ADDITIONAL NOTES Is your organisation familiar with the ICO’s code of practice on privacy impact assessments? Does your organisation have a strategy on how and when to implement the ICO’s code of practice on privacy impact assessments? Is your organisation familiar with the latest guidance from Article 29 Working Party? Does your organisation know how and when to implement Article 29 Working Party? Does your organisation know whether it is required to undertake a data protection impact assessment (DPIA)? DPIAs are required in situations where data processing is likely to result in high risk to individuals, such as when a new technology is deployed or when a profiling operation is likely to significantly affect individuals. STEP 11: DATA PROTECTION OFFICERS Designate someone to take responsibility for data protection compliance and assess where this role will sit in your organisation’s structure and governance arrangements. Consider whether you are required to formally designate a data protection officer. YES NO ADDITIONAL NOTES Has your organisation designated someone to take responsibility for data protection compliance? Has your organisation considered whether it is required to formally designate a data protection officer (DPO)? You must designate a DPO if you are a public authority, an organisation that carries out regular and systematic monitoring of individuals on a large scale, or an organisation that carries out the large scale processing of special categories of data, such as health records or information about criminal convictions. Has your organisation assessed where the data protection officer(s) will sit within your organisation’s structure and governance arrangements?
STEP 12: INTERNATIONAL If your firm operates in more than one EU member state, including carrying out cross-border processing, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you. YES NO ADDITIONAL NOTES Does your organisation operate in more than one EU member state? If your organisation has establishments in more than one EU member state or you have a single establishment that carries out processing that substantially affects individuals in other EU states, has your organisation mapped out where it makes its most significant decisions about its processing activities? This will help to determine your ‘main establishment’ and, therefore, your lead supervisory authority. Has your organisation determined your lead data protection supervisory authority? Use Article 29 Working Party guidelines to determine this. This checklist is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Contains public sector information published by the ICO and licensed under the Open Government Licence v3.0. Design © 2017 Zywave, Inc. All rights reserved.

Recommended

GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
Ermine Amies
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
Premier EPOS
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
ICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPRICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPR
Benjamin Dibble
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 

Recommended

GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
Ermine Amies
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
Premier EPOS
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
ICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPRICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPR
Benjamin Dibble
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
Peter Witsenburg
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
DATUM LLC
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparation
Promapp Solutions
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)
Exove
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
Tim Gough
 
GDPR Readiness
GDPR ReadinessGDPR Readiness
GDPR Readiness
NGA Human Resources
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
Exove
 
GDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-stepsGDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-steps
Dean Bonehill ♠Technology for Business♠
 
Are you GDPR ready for EU General Data Protection Regulation?
Are you GDPR ready for EU General Data Protection Regulation?Are you GDPR ready for EU General Data Protection Regulation?
Are you GDPR ready for EU General Data Protection Regulation?
Fraser Hay
 
GDPR - what you need to know
GDPR - what you need to know GDPR - what you need to know
GDPR - what you need to know
Maddie Malling-May
 

More Related Content

What's hot

Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
Peter Witsenburg
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
DATUM LLC
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparation
Promapp Solutions
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)
Exove
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
Tim Gough
 
GDPR Readiness
GDPR ReadinessGDPR Readiness
GDPR Readiness
NGA Human Resources
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
Exove
 

What's hot (19)

Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparation
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
 
Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)Developer view on new EU privacy legislation (GDPR)
Developer view on new EU privacy legislation (GDPR)
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
GDPR Readiness
GDPR ReadinessGDPR Readiness
GDPR Readiness
 
GDPR
GDPRGDPR
GDPR
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
 

Similar to 12 steps to prepare for GDPR

GDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-stepsGDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-steps
Dean Bonehill ♠Technology for Business♠
 
Are you GDPR ready for EU General Data Protection Regulation?
Are you GDPR ready for EU General Data Protection Regulation?Are you GDPR ready for EU General Data Protection Regulation?
Are you GDPR ready for EU General Data Protection Regulation?
Fraser Hay
 
GDPR - what you need to know
GDPR - what you need to know GDPR - what you need to know
GDPR - what you need to know
Maddie Malling-May
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
GDPR Audit 2018
GDPR Audit 2018GDPR Audit 2018
GDPR Audit 2018
Fraser Hay
 
General data protection regulation gdpr audit 2018
General data protection regulation gdpr audit 2018General data protection regulation gdpr audit 2018
General data protection regulation gdpr audit 2018
Fraser Hay
 
Are you GDPR Ready? Checklist Whitepaper
Are you GDPR Ready? Checklist WhitepaperAre you GDPR Ready? Checklist Whitepaper
Are you GDPR Ready? Checklist Whitepaper
Serversys
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
AllBusinessTemplates
 
GDPR Ready Presentation - Marc Michaels
GDPR Ready Presentation - Marc MichaelsGDPR Ready Presentation - Marc Michaels
GDPR Ready Presentation - Marc Michaels
Post Media
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
ayeshaurooj104
 
Are you GDPRed yet?
Are you GDPRed yet?Are you GDPRed yet?
Are you GDPRed yet?
Datamatics Business Solutions Ltd.
 
2018 Client Briefing GDPR
2018 Client Briefing GDPR2018 Client Briefing GDPR
2018 Client Briefing GDPR
Carsted Rosenberg Advokatfirma
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
NetworkIQ
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to Act
Cathy Gilmartin
 
GDPR Seminar Slides
GDPR Seminar SlidesGDPR Seminar Slides
GDPR Seminar Slides
Hannah Donnison
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
Neha Patel
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratg
Cyber StratG
 
The Basics of GDPR
The Basics of GDPR The Basics of GDPR
The Basics of GDPR
Bhupesh Chaurasia
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 

Similar to 12 steps to prepare for GDPR (20)

GDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-stepsGDPR Preparing for-the-gdpr-12-steps
GDPR Preparing for-the-gdpr-12-steps
 
Are you GDPR ready for EU General Data Protection Regulation?
Are you GDPR ready for EU General Data Protection Regulation?Are you GDPR ready for EU General Data Protection Regulation?
Are you GDPR ready for EU General Data Protection Regulation?
 
GDPR - what you need to know
GDPR - what you need to know GDPR - what you need to know
GDPR - what you need to know
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
GDPR Audit 2018
GDPR Audit 2018GDPR Audit 2018
GDPR Audit 2018
 
General data protection regulation gdpr audit 2018
General data protection regulation gdpr audit 2018General data protection regulation gdpr audit 2018
General data protection regulation gdpr audit 2018
 
Are you GDPR Ready? Checklist Whitepaper
Are you GDPR Ready? Checklist WhitepaperAre you GDPR Ready? Checklist Whitepaper
Are you GDPR Ready? Checklist Whitepaper
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
 
GDPR Ready Presentation - Marc Michaels
GDPR Ready Presentation - Marc MichaelsGDPR Ready Presentation - Marc Michaels
GDPR Ready Presentation - Marc Michaels
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
 
Are you GDPRed yet?
Are you GDPRed yet?Are you GDPRed yet?
Are you GDPRed yet?
 
2018 Client Briefing GDPR
2018 Client Briefing GDPR2018 Client Briefing GDPR
2018 Client Briefing GDPR
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to Act
 
GDPR Seminar Slides
GDPR Seminar SlidesGDPR Seminar Slides
GDPR Seminar Slides
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratg
 
The Basics of GDPR
The Basics of GDPR The Basics of GDPR
The Basics of GDPR
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 

More from Gary Chambers

Cyber Security Breaches Survey 2018
Cyber Security Breaches Survey 2018Cyber Security Breaches Survey 2018
Cyber Security Breaches Survey 2018
Gary Chambers
 
Millennially Minded - Future of Work
Millennially Minded - Future of WorkMillennially Minded - Future of Work
Millennially Minded - Future of Work
Gary Chambers
 
Cyber Risks - Legal innovation 2018
Cyber Risks - Legal innovation 2018Cyber Risks - Legal innovation 2018
Cyber Risks - Legal innovation 2018
Gary Chambers
 
UK Employee Absence - Provided by Raconteur
UK Employee Absence - Provided by RaconteurUK Employee Absence - Provided by Raconteur
UK Employee Absence - Provided by Raconteur
Gary Chambers
 
The Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by RaconteurThe Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by Raconteur
Gary Chambers
 
Banned buzzwords by Raconteur
Banned buzzwords by RaconteurBanned buzzwords by Raconteur
Banned buzzwords by Raconteur
Gary Chambers
 
Benefits of Cyber Insurance
Benefits of Cyber InsuranceBenefits of Cyber Insurance
Benefits of Cyber Insurance
Gary Chambers
 
Regulatory Update - Criminal finances Act
Regulatory Update - Criminal finances ActRegulatory Update - Criminal finances Act
Regulatory Update - Criminal finances Act
Gary Chambers
 
Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017
Gary Chambers
 
Energy Efficiency Insurance Brochure
Energy Efficiency Insurance BrochureEnergy Efficiency Insurance Brochure
Energy Efficiency Insurance Brochure
Gary Chambers
 
Risk Insight - Employee Internet Usage at Work
Risk Insight - Employee Internet Usage at WorkRisk Insight - Employee Internet Usage at Work
Risk Insight - Employee Internet Usage at Work
Gary Chambers
 
Employment Law - Criminal Record Checks
Employment Law - Criminal Record ChecksEmployment Law - Criminal Record Checks
Employment Law - Criminal Record Checks
Gary Chambers
 
HSE Safety Cornerstones - August 2017
HSE Safety Cornerstones - August 2017HSE Safety Cornerstones - August 2017
HSE Safety Cornerstones - August 2017
Gary Chambers
 
HSE Business Plan2017/18
HSE Business Plan2017/18HSE Business Plan2017/18
HSE Business Plan2017/18
Gary Chambers
 
News brief - Spring Budget 2017 highlights
News brief - Spring Budget 2017 highlightsNews brief - Spring Budget 2017 highlights
News brief - Spring Budget 2017 highlights
Gary Chambers
 
HR Brief - First Quarter
HR Brief - First QuarterHR Brief - First Quarter
HR Brief - First Quarter
Gary Chambers
 
Bring your own device guidance
Bring your own device guidanceBring your own device guidance
Bring your own device guidance
Gary Chambers
 
Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017
Gary Chambers
 
2016 Cyber Security Breaches Survey for the UK
2016 Cyber Security Breaches Survey for the UK2016 Cyber Security Breaches Survey for the UK
2016 Cyber Security Breaches Survey for the UK
Gary Chambers
 
Professional Indemnity
Professional IndemnityProfessional Indemnity
Professional IndemnityGary Chambers
 

More from Gary Chambers (20)

Cyber Security Breaches Survey 2018
Cyber Security Breaches Survey 2018Cyber Security Breaches Survey 2018
Cyber Security Breaches Survey 2018
 
Millennially Minded - Future of Work
Millennially Minded - Future of WorkMillennially Minded - Future of Work
Millennially Minded - Future of Work
 
Cyber Risks - Legal innovation 2018
Cyber Risks - Legal innovation 2018Cyber Risks - Legal innovation 2018
Cyber Risks - Legal innovation 2018
 
UK Employee Absence - Provided by Raconteur
UK Employee Absence - Provided by RaconteurUK Employee Absence - Provided by Raconteur
UK Employee Absence - Provided by Raconteur
 
The Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by RaconteurThe Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by Raconteur
 
Banned buzzwords by Raconteur
Banned buzzwords by RaconteurBanned buzzwords by Raconteur
Banned buzzwords by Raconteur
 
Benefits of Cyber Insurance
Benefits of Cyber InsuranceBenefits of Cyber Insurance
Benefits of Cyber Insurance
 
Regulatory Update - Criminal finances Act
Regulatory Update - Criminal finances ActRegulatory Update - Criminal finances Act
Regulatory Update - Criminal finances Act
 
Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017Cyber Risks & Liabilities - Sept/Oct 2017
Cyber Risks & Liabilities - Sept/Oct 2017
 
Energy Efficiency Insurance Brochure
Energy Efficiency Insurance BrochureEnergy Efficiency Insurance Brochure
Energy Efficiency Insurance Brochure
 
Risk Insight - Employee Internet Usage at Work
Risk Insight - Employee Internet Usage at WorkRisk Insight - Employee Internet Usage at Work
Risk Insight - Employee Internet Usage at Work
 
Employment Law - Criminal Record Checks
Employment Law - Criminal Record ChecksEmployment Law - Criminal Record Checks
Employment Law - Criminal Record Checks
 
HSE Safety Cornerstones - August 2017
HSE Safety Cornerstones - August 2017HSE Safety Cornerstones - August 2017
HSE Safety Cornerstones - August 2017
 
HSE Business Plan2017/18
HSE Business Plan2017/18HSE Business Plan2017/18
HSE Business Plan2017/18
 
News brief - Spring Budget 2017 highlights
News brief - Spring Budget 2017 highlightsNews brief - Spring Budget 2017 highlights
News brief - Spring Budget 2017 highlights
 
HR Brief - First Quarter
HR Brief - First QuarterHR Brief - First Quarter
HR Brief - First Quarter
 
Bring your own device guidance
Bring your own device guidanceBring your own device guidance
Bring your own device guidance
 
Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017Cyber risks and liabilities February 2017
Cyber risks and liabilities February 2017
 
2016 Cyber Security Breaches Survey for the UK
2016 Cyber Security Breaches Survey for the UK2016 Cyber Security Breaches Survey for the UK
2016 Cyber Security Breaches Survey for the UK
 
Professional Indemnity
Professional IndemnityProfessional Indemnity
Professional Indemnity
 

Recently uploaded

Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
RajPriye
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
taqyed
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
Digital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and TemplatesDigital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and Templates
Aurelien Domont, MBA
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
BBPMedia1
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
Bojamma2
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
Cynthia Clay
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Lviv Startup Club
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
Lviv Startup Club
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
NathanBaughman3
 

Recently uploaded (20)

Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
Digital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and TemplatesDigital Transformation and IT Strategy Toolkit and Templates
Digital Transformation and IT Strategy Toolkit and Templates
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 

12 steps to prepare for GDPR

  • 2. Presented by PIB Insurance Brokers On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU and across the United Kingdom. The GDPR replaces the Data Protection Act (DPA) and ushers in expanded rights to individuals and their data, and places greater obligations on businesses and other entities that process personal data. Many of the GDPR’s main concepts and principles are the same as those in the DPA, so if you are complying properly with the DPA much of your approach to compliance will remain valid under the GDPR and can be a starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. It is essential to plan your approach to GDPR compliance now and to gain buy-in from key people in your organisation. That is why PIB Insurance Brokers is here with guidance and a checklist from the Information Commissioner’s Office (ICO) to help you prepare for compliance in 2018. Compliance with all the areas listed in this checklist will require you to review your approach to governance and how you manage data protection. Use the following checklist to map out which parts of the GDPR will have the greatest impact on your business model, and create a plan to focus on those areas in your planning process. STEP 1: AWARENESS Make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the GDPR’s impact. YES NO ADDITIONAL NOTES Are the key decision makers at your organisation aware that the GDPR will force you to change the way you conduct business? Do the key decision makers know how the GDPR will affect your organisation? Do the key decision makers at your organisation know what the requirements of the GDPR are? Do the key decision makers at your organisation have a plan for how you will become GDPR compliant?
  • 3. STEP 3: COMMUNICATING PRIVACY INFORMATION Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. YES NO ADDITIONAL NOTES Has your organisation reviewed its current privacy notices? Does your organisation have a plan in place for making necessary changes to your privacy notices? Does your organisation know what changes need to be made in order to comply with the GDPR? STEP 4: INDIVIDUALS’ RIGHTS Check your procedures to ensure they cover individuals’ rights, including how you would delete personal data or provide data electronically in a commonly used format. YES NO ADDITIONAL NOTES Do your procedures cover all the rights that individuals have under the GDPR? Do your procedures allow individuals to delete their personal data? When deleting personal data, would your systems help you locate and delete data? Who will make the decisions about deletion? Do your procedures provide individuals with their data electronically and in a commonly used format? STEP 5: SUBJECT ACCESS REQUESTS Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. YES NO ADDITIONAL NOTES Has your organisation updated its procedures for how you will handle subject access requests? Will your organisation be able to comply with subject access requests within one month, rather than the DPA’s 40 days? Does your organisation have a plan for how it will handle subject access requests? Is your organisation ready to refuse a request, which will involve you telling the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy? Will you be able to do this without undue delay, and within one month? Is your organisation able to provide additional information upon request about subject access?
  • 4. STEP 6: LAWFUL BASIS FOR PROCESSING PERSONAL DATA Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. YES NO ADDITIONAL NOTES Has your organisation identified the lawful basis for your processing in the GDPR? Does your organisation have a method to document how you process personal data? Has your organisation updated your privacy notice to reflect the lawful basis for processing personal data? STEP 7: CONSENT Review how you seek, record and manage consent, and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. YES NO ADDITIONAL NOTES Has your organisation reviewed how it seeks consent? Has your organisation reviewed how it records consent? Has your organisation reviewed how it manages consent? Does your organisation need to make any changes in its process of obtaining consent? Does your organisation have simple ways for people to withdraw consent? Is your consent separate from other terms and conditions? Can your organisation’s existing consents be updated to meet the GDPR standard, meaning are they specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn? STEP 8: CHILDREN Think about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. YES NO ADDITIONAL NOTES Does your organisation have a system in place to verify individuals’ ages? Does your organisation have a system in place to obtain parental or guardian consent for any data processing activity?
  • 5. STEP 9: DATA BREACHES Make sure you have the right procedures in place to detect, report and investigate a personal data breach. YES NO ADDITIONAL NOTES Does your organisation have a procedure in place to detect a personal data breach? Now that the GDPR introduces a duty on all organisations to report certain types of data breaches to the ICO, and, in some cases, to individuals, does your organisation have a procedure in place to report a personal data breach? Does your organisation have a procedure in place to investigate a personal data breach? Does your organisation need to assess the type of personal data it holds and document when it would be required to notify the ICO or affected individuals if a breach occurred? STEP 10: DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS Familiarise yourself with the ICO’s code of practice on privacy impact assessments as well as the latest guidance from the Article 29 Working Party, and figure out how and when to implement them in your organisation. YES NO ADDITIONAL NOTES Is your organisation familiar with the ICO’s code of practice on privacy impact assessments? Does your organisation have a strategy on how and when to implement the ICO’s code of practice on privacy impact assessments? Is your organisation familiar with the latest guidance from Article 29 Working Party? Does your organisation know how and when to implement Article 29 Working Party? Does your organisation know whether it is required to undertake a data protection impact assessment (DPIA)? DPIAs are required in situations where data processing is likely to result in high risk to individuals, such as when a new technology is deployed or when a profiling operation is likely to significantly affect individuals. STEP 11: DATA PROTECTION OFFICERS Designate someone to take responsibility for data protection compliance and assess where this role will sit in your organisation’s structure and governance arrangements. Consider whether you are required to formally designate a data protection officer. YES NO ADDITIONAL NOTES Has your organisation designated someone to take responsibility for data protection compliance? Has your organisation considered whether it is required to formally designate a data protection officer (DPO)? You must designate a DPO if you are a public authority, an organisation that carries out regular and systematic monitoring of individuals on a large scale, or an organisation that carries out the large scale processing of special categories of data, such as health records or information about criminal convictions. Has your organisation assessed where the data protection officer(s) will sit within your organisation’s structure and governance arrangements?
  • 6. STEP 12: INTERNATIONAL If your firm operates in more than one EU member state, including carrying out cross-border processing, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you. YES NO ADDITIONAL NOTES Does your organisation operate in more than one EU member state? If your organisation has establishments in more than one EU member state or you have a single establishment that carries out processing that substantially affects individuals in other EU states, has your organisation mapped out where it makes its most significant decisions about its processing activities? This will help to determine your ‘main establishment’ and, therefore, your lead supervisory authority. Has your organisation determined your lead data protection supervisory authority? Use Article 29 Working Party guidelines to determine this. This checklist is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Contains public sector information published by the ICO and licensed under the Open Government Licence v3.0. Design © 2017 Zywave, Inc. All rights reserved.