How to Prepare for GDPR

You only need to look at the results of surveys by Exchange Wire, Calligo and McAfee, among others, to see that many data professionals, and their organisations, are not fully prepared for the General Data Protection Regulation (GDPR). Any organisation that is lagging behind in preparations needs to take measures immediately, in order to ensure that they are ready by May 25 2018.

Many organisations may not have a great deal of work to do, if they comply with current legislation. But GDPR is more stringent, so it’s important to review current policies and procedures, and make sure that they are compliant.

Reviewing the data that is held

All organisations should review the data they hold including what the information is, how it was obtained and what it’s being used for. This helps to determine is it meets with GDPR regulations. A data audit may be necessary.

Ensuring the individual’s rights are covered

It’s important to ensure that individual’s rights, as detailed in the GDPR, are covered. These rights are:

  • Subject access.
  • Correction of inaccurate data.
  • Ability to have data erased.
  • Ability to prevent direct marketing.
  • Prevention of automated decision making.
  • Data portability.

All of these points are covered by current data protection legislation, with the exception of data portability. This means that everyone has the right to get full details of data help on them, by electronic methods.

Updating procedures for dealing with subject access requests (SARs)

Once GDPR is introduced companies will not normally be able to charge for a SAR, and they will need to supply it within forty days.

Documenting legal basis for data processing

Every organisation should document the legal basis it has for processing all of the data that it uses.

Making sure a data protection officer is in place

All organisations which employ more than 250 people must have a data protection officer (DPO) in place.

Checking guidance from the supervising authority (SA)

As part of preparations for the introduction of GDPR it’s good practice for organisations to check the latest information provided by the relevant supervising authority (SA).

All organisations should examine all of these considerations, as part of their preparations. Failure to do so could mean they are subject to fines and other sanctions.