The two-year window for organisations to take the steps necessary to comply with the GDPR is drawing to a close. GDPR will take effect on May 25 this year, meaning less than four months to put an action plan in place that prioritises key risks for your organisation. Here are my four steps that businesses should address now.
Review what personal data you hold, how it is used and who it is shared with. Mapping out the data flows across your business is a key priority at this stage. This will underpin your compliance action plan. You will then be able to identify how you move forward, and what resources you need to help achieve this. This mapping exercise will also form the basis of your record-keeping obligations under GDPR and, likewise, allow you to update/draft GDPR compliant privacy notices.
Once you know what personal data you hold, the next step is to analyse your legal basis for using that information. Much has been made of the consent obligations, but this is only one of the legal requirements that you can rely on as a basis for using and holding an individual’s personal data.
Considering the more stringent consent requirements, you should review where you are relying on this approach and consider if any other legal basis is available to you. Where consent is the only available legal basis, you should review your consent language and consider whether changes are needed to comply with GDPR, refreshing them where needed.
Consider your governance structures and how they need to change to ensure appropriate responsibility for compliance is allocated to individuals within your business. Identify champions within the business to implement policies and procedures which address key compliance risks (such as notifying security incidents and handling rights of individuals) and train staff to ensure everyone understands their obligations. GDPR is everyone’s responsibility.
Review contracts that involve the transfer of personal data to a third party. Assess whether those third parties are acting as your data processor (i.e. using the information on your instructions and on your behalf) or using the data for their own purposes. Where they are acting as your data processor, for example, by providing payroll services or cloud-based web hosting, the contract will need to be updated to include the provisions required by GDPR. Depending on the volume of these contracts, you may need to prioritise those that pose the highest risk as these are likely to take the most time to negotiate and amend.
While the steps above may not address all of the actions you need to take ahead of May 25, the time and resource likely to be needed to complete these tasks means that they should be your focus now. Leaving these tasks until later in the year, may mean you do not leave sufficient time to comply.
Womble Bond Dickinson
For advice on how you can achieve GDPR compliance, please contact Caroline or one of the data protection team at Womble Bond Dickinson.