Yes, you do! You need to be ready by 25 May 2018 as no business is exempt.
Some of the regulation is still being agreed, however here are the actions you can take now. Remember that the individuals’ rights under GDPR are:
- Appoint a Data Protection Officer if you are a firm of 250 people or more.
- Document what data you hold. Where did it come from? What is it used for? Where is it held? Note, if you use cloud-based systems, you need to identify where that cloud is held.
- Review your privacy notices. Are there any changes you need to make? Note: this can no longer be embedded in your terms and conditions, but needs to be somewhere more visible.
- Identify the legal basis you are holding the data. Is it necessary?
- Did you ask the individual for permission to hold their personal data? Review your processes for obtaining data. Do you specify what you’d use their data for and ask them if you can use it for that purpose? Can you prove you have permission to hold their data and use it for those purposes specified? Is the data up to date and accurate? If you answered ‘no’ to any of these questions, you will need to run an exercise to obtain permission from your clients to hold their data. Consider how you will do this going forward
- Update your procedures to ensure they cover all individuals rights, including how you would delete personal data or share it electronically. What is your procedure for handling requests for access to data?
- Data breaches – you need to have a procedure to act on this as all data breaches need to be reported to the Supervisory Authority within 72 hrs.
- Do you carry out Data Protection Impact Assessments? These will be a requirement under GDPR so, if you don’t already do so, you need to bring in a policy for doing so and start acting on it.
- Children: if you hold data for children you need to identify what age you need parental consent up to.
Overwhelmed? Give me a call on 0845 869 0141 or use the ‘contact me’ form on this site. I can help!
For more reading: