The General Data Protection Regulation will come into force in all of the 28 Member States of the European Union (EU) on 25 May 2018. This will herald a significant change in the regulatory landscape for data protection giving EU citizens greater control of their personal data.
The new Regulation directly affects both EU and non-EU based businesses as it applies to organisations processing and holding personal data of data subjects in the EU, regardless of the organisation’s location.
so what should you be doing ?
Due to the wide scope of GDPR it will cover more many more businesses than before. If you have not already started getting ready, with 6 months to go before implementation, you need to be getting ready now. So where do you start…?
(If you missed them, you can read tips 1 to 5 in the first article here)
- Determine if you need to appoint a Data Privacy Officer (DPO). These are required when:
- Core activities require regular and systematic monitoring of data subjects on a large scale or
- Large scale processing of sensitive data
Research organisations generally collect personal data, including sensitive data, as part of their core activities, and they do this on a large scale so a DPO is likley to be needed by research organisations. MRS has some guidance on appointing DPOs.
- Build an organisation wide comprehensive privacy compliance programme and structure to ensure that all the necessary activities are completed.
- Prioritise all areas within your business which have the highest risk and highest potential impact on your organisation, including areas with he highest fines such as consent, sensitive data and compatibility of systems with new rights.
- Start undertaking Privacy Impact Assessments (sometimes called Data Protection Impact Assessments) for your activities. This is how privacy by design and default becomes embedded in your corporate thinking. These assessments should describe your data flows and identify and minimise compliance risks. As a minimum the Assessment should include:
- A description of the envisaged data processing
- An assessment of the need for processing and risks to the data subjects
- Measures to mitigate these risk and to ensure GDPR compliance.
- And lastly prepare for breach notifications. Set up internal procedures and strategies for data breach notifications, and processes for detecting breaches.
Managing Director, MRS