GDPR - The Final Countdown

GDPR - The Final Countdown


  • Date: Tuesday 22nd May 2018
  • PDF: Download

From 25th May, the General Data Protection Regulations go live.  Here is a final reminder of what you need to get 'Data Ready':

 

Item

Complete?

Assign internal responsibilities regarding data protection.

 

Train a Data Protection Officer (if applicable).

 

Undertake a data audit to identify types of data controlled and processed, spot flaws in systems and controls and implement an internal action plan.

 

Contact suppliers and processors, either asking them to submit their data policy or confirm in writing that they are signing up to ours.

 

Complete a data processor register, capturing all data processors, identifying the type of data they process and confirming that they have been vetted, by whom and when?

 

Put together a retention guideline, either as part of our policy or as a separate document. This should outline the different types of data held, how long for and when and how the data will be archived and destroyed.

 

Write and implement a data protection policy.

 

Write and publish a privacy notice or data policy statement. This can be done in accordance with ICO guidance https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/

or a simpler format if appropriate (see SSG website for example)

 

Contact customers who receive marketing information and ask for their consent to send such emails / correspondence in the future. Consent must be broken down as far as reasonable (ie give them the option to sign up for newsletters but not for new service information or third-party correspondence).

Consent must be informed and transparent (ie “tick this box if you wish to receive information” rather than “tick this box if you don’t wish to receive this information”)

 

Contact any individuals providing you with sensitive and/or restricted data (such as medical information or details relating to safeguarding or security). These may be staff, associates, customers, clients, subcontractors etc. Inform them of our data policy / procedures and external processors.

 

Train staff (via formal training or toolbox talks). Record attendance.

 

Schedule policy and processor register review annually.

 


Bookmark and Share

Return to listings