knowledge | 25 May 2018 |

Getting Data Protection Right

The General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) applies from Friday, 25 May 2018. GDPR results in wide ranging changes to the way that organisations collect, use and retain personal data, due to increased obligations and a greater emphasis on beign able to demonstrate compliance. The checklist below highlights some of the major issues which organisations should consider in preparing for the application of GDPR.

  • Does your organisation deal with personal data? If so, have you identified all potential data subjects and categories of data subjects?
  • Have you established whether you are a controller or processor of such personal data? Bear in mind that you might act as both in different circumstances…
  • Have you put the necessary data protection / privacy policies and notices in place? For example, if your organisation operates a website, do you have a website privacy notice in place? Review all current data protection /privacy policies and notices for compliance with the GDPR!
  • Is your organisation required to appoint a Data Protection Officer? If so, has one been appointed? If not, have you considered appointing someone to carry out a similar role, e.g. a Data Protection Manager?
  • Have you reviewed the lawful bases for your processing of personal data?
  • Is your organisation processing any special categories of personal data? If so, have you ensured that you have an additional lawful basis for such processing?
  • Have you reviewed all existing consents that you intend to rely on to ensure they meet the GDPR requirements and that you can demonstrate this?
  • Are you fully aware of the rights of data subjects under the GDPR? Have you updated your internal processes so that you can deal with requests from data subjects to exercise these rights?
  • Have you identified all personal data processed in a detailed record of processing? Have you implemented processes for updating and maintaining this record of processing?
  • Have you reviewed existing agreements with suppliers and customers to ensure they meet the updated requirements under the GDPR?
  • Have you developed a personal data breach response plan which reflects the enhanced notification requirements under the GDPR?
  • Have you identified all transfers of personal data to countries outside the EEA? Have you taken steps to ensure that you have appropriate safeguards in place in respect of all such transfers? 
  • Have you identified your supervisory authority? If your organisation operates in more than one EU Member State, have you identified your lead supervisory authority?
  • Do you have processes in place to monitor and maintain compliance?

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts