General Data Protection Regulation: Toolkit for the EU GDPR

published on January 4, 2018  

This document sets out the schedule of our series of "Toolkits" on specific key elements of the upcoming EU GDPR (General Data Protection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.

We have created the following GDPR Toolkits, each one representing a key element of the new GDPR data protection regime:

• 1) The Data Protection Officer (DPO)

• 2) Consent

• 3) Individual Rights

• 4) Six Principles Governing Processing of Personal Data

• 5) Cross-Border Personal Data Transfer

• 6) Children's Personal Data

• 7) Privacy By Design

• 8) Data Breaches and Enforcement

The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC). It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.

The UK Information Commissioners Office (ICO) has set out a 12 stage GDPR approach which you should also be taking account of.

Below is a brief summary of these various ICO stages:

1. Awareness – you should ensure that the decision-makers and key people in your organisation are aware that the law is changing to the GDPR and the impact of the same.
     
2.  Check what information you hold – ensure you document what personal data you hold, where it came from and who you share it with.
     
3. Privacy Policy – you should review your privacy policy and put a plan in place for making any necessary changes in time for GDPR implementation.
      
4. Individual Rights – check your procedures and ensure they are suitable considering all of the rights that individuals have.
      
5. Subject Access Requests – you should review your procedures and put in plan as to how any subject access requests will be handled.
     
6. Check you have a lawful basis for processing personal data – you should identify the lawful basis for which you process personal data.
      
7. Consent – you should review how you seek record and manage individuals consent to process their personal data.
       
8. Processing data of an individual under 16 – look at how you will be able to verify age and how you can obtain parent/guardian consent to process personal data (please note this age limit may be reduced to 13 in the UK).
       
9. Data Breaches – you should ensure you have the right procedures already in place to detect, report and investigate a personal data breach.
      
10. Privacy by design – the GDPR makes privacy by design an express legal requirement and the use of Privacy Impact Assessments are mandatory in certain circumstances.
      
11. Data Protection Officers – you need to ensure you designate someone to take responsibility for data protection compliance (large organisations may need a dedicated full time DPO role).
       
12. International – if your organisation operates in more than one EU member state you should determine your lead data protection supervisory authority and document this.