10 things you need to do to prepare for the GDPR


If you read our previous blog on this subject, you will know that the deadline for ensuring that your practice’s data records are compliant with the GDPR (General Data Protection Regulation) is 25 May 2018. This isn’t just a pesky admin task that you can brush under the carpet: if your data doesn’t meet the correct standards, you could be fined up to 4% of your annual turnover.
So, what do you need to do?
1. Keep detailed records
Make a record of the nature, origin and destination of any personal data you hold or share. Under GDPR, if you share this type of data with other organisations, you will be responsible for telling them if it is at all inaccurate.
2. Plan for necessary changes to your privacy notices
As well as telling people who you are and how you will use their personal information, you must now explain your legal basis for processing it, how long you will hold it for, and that individuals have the right to complain to the ICO if they have any problems.
3. Ensure that your procedures respect individuals’ rights
The main rights for individuals are:
– subject access
– to have inaccuracies corrected
– to have information deleted
– to prevent direct marketing
– to prevent automated decision-making and profiling
Data portability: this is new; it means that you must provide the data electronically and in a commonly used format. So if you currently use an obscure electronic format, or even pen and paper (!), you should make some changes.
4. Subject access requests
Usually you will not be able to charge for these and will have only a month (instead of 40 days) to comply with a request. If you want to refuse a request, you will have to prove it meets certain criteria.
5. Check in with the law
What is your legal basis for processing personal data? If it is consent based, individuals will have the right to have their data deleted. Make sure that you have the correct legal basis for obtaining and processing personal data and that you understand its implications.
6. Obtaining and recording consent
You must be able to prove that consent was given for you to process personal data and any terms and conditions you use must be easily intelligible, not full of legal jargon. It is worth reviewing your systems now to check that you can do this.
7. Children (individuals under the age of 13)
If you seek, hold or process children’s personal data, you will need to be able to verify their ages and obtain parental or guardian consent. Be aware that you must write your privacy notice in language that children will understand.
8. Have a plan ready in the event of a data breach
Check that you have the correct procedures in place to detect and report a personal data breach. The new regulation means that you will now have to notify the ICO if an individual is likely to suffer from the breach, for example through identity theft.
9. Privacy Impact Assessments
Privacy Impact Assessments (PIAs) help organisations understand how to comply with their data protection obligations. Helpfully, the ICO has produced some guidance on PIAs to help you do this. Make sure you have read through the guidance and assessed how to implement PIAs in your organisation.
10. Data Protection Officers
If your organisation is processing large amounts of data or data relating to criminal convictions and offences, you may be required to appoint a Data Protection Officer. It is important that somebody in your organisation understands the GDPR and can ensure that your data meets its requirements.
If you were previously unaware of the changes to the data protection regulations, it is likely this has given you food for thought. For more information on any of the points above, you can visit the GDPR website.