We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

GDPR - 12 Steps to heaven

31 May 2016

In preparation for the GDPR compliance deadline in 2018, the UK Information Commissioner’s Office (ICO) published 12 steps for businesses to take in order to attain compliance nirvana.

We have already published our own guidance on GDPR compliance but the ICO indicates that the 12 steps to take now are:

  • Awareness – make sure that you understand GDPR
  • Information gathering – assess and verify what personal data you hold
  • Transparency – ensure that you have in place plain language and transparent statements as to how you process personal data
  • Individual rights – understand the new rights for data subjects and anticipate how you will need to amend your business practices to respect those rights
  • Subject access requests – update your policies and procedures regarding subject access requests
  • Legitimate processing – understand how you can lawfully process personal data and identify the legal basis for the use of personal data that you hold
  • Consent – consider what plain language “permissioning” statements you will need to have in place
  • Children – be aware that using children’s personal data places strict compliance obligations on the business
  • Data incidents – GDPR introduces data breach notification rules which you need to be aware of
  • PIA and PbD - Privacy Impact Assessments and Privacy by Design are two relatively new concepts mandated by GDPR, so understand how these affect your business
  • Data Protection Officers – many businesses will be required to appoint a data protection officer who will need to be appropriately trained and be able to act without conflict of interest
  • Data transfers – review how you share personal data internationally and consider what solutions GDPR give you in order to remain compliant

In addition to the guidance from the ICO it is expected that the EU Article 29 Data Protection Working Party will produce guidance at a European level over the next 6 months.

Compliance with GDPR will inevitably require that Management assess budgets, technology, training, governance and communications.

For more information, please contact Robert Bond on +44 (0)20 7427 6660 or robert.bond@crsblaw.com.