Академический Документы
Профессиональный Документы
Культура Документы
The General Data Protection Regulation (GDPR) applies from 25 May 2018 across all European
Union markets. This includes the UK, until the point of the UK's exit from the EU. After exit, the
UK government plans to incorporate the GDPR into domestic UK law. Read more about Brexit:
Data protection steps for a no-deal exit.
Note that if your business is not in the EU, you may still need to comply with the regulation if
you collect, share, transfer or use personal data of EU citizens.
This checklist summarises the steps your business should take to comply with the GDPR.
An information audit can help you identify areas that could cause compliance problems under the
GDPR. It's important to look at what information you collect, store or process and determine:
An inventory of all personal data you hold will help you comply with the GDPR's accountability
principle, which requires organisations to demonstrate how they comply with the data protection
principles when carryout out their business.
For processing to be lawful under the GDPR, you must identify a legal basis before you can
process personal data. You also have to document it accordingly.
Under the previous data protection legislation, legal basis were often referred to as 'conditions
for processing'. However, under the GDPR, legal basis carry greater practical implications, due
to their effect on individuals' rights. For example, if you rely on someone's consent to process
their data, they will generally have stronger rights, for example to have their data deleted.
There are six legal basis for processing data under the GDPR, including:
The GDPR sets a high standard for consent. Like the preceding data protection legislation, it has
references to both 'consent' and 'explicit consent'. Both forms of consent under GDPR have to
be:
freely given
specific
informed
an unambiguous indication of the individual’s wishes
Under GDPR, consent also requires some form of clear affirmative action. This means that you
cannot presume consent from silence, pre-ticked boxes or inactivity.
You must be able to demonstrate that consent has been given. This generally means that you will
have to keep some form of record of how and when you have sought and received consent.
If you rely on an individual's consent to process their data, take steps to ensure that your
processes meet the enhanced standards needed under the GDPR. Otherwise, you may want to
find an alternative to using consent.
Under GDPR, you must provide privacy information in clear and plain language. Your policies
should be transparent and easily accessible. You must include in your privacy notices certain
additional information, such as:
Find out more in the ICO's guidance on privacy notices, transparency and control.
The GDPR introduces greater rights for data subjects. Check your procedures and systems to
ensure they align to the new or enhanced rights under the General Data Protection Regulation,
including:
Prepare for the data subjects to exercise their rights and put in place procedures that will enable
you to deal with possible scenarios, eg someone asking you to delete their personal data, or
provide their data electronically or in commonly used formats.
The rules for dealing with subject access requests changed under the General Data Protection
Regulation. In most cases, you cannot charge for processing an access request, unless you can
demonstrate that the cost to respond will be excessive. From 25 May 2018, you also have to
respond to an access request within a month, rather than the 40 days previously allowed under
the Data Protection Act.
You may have some grounds for refusing to grant an access request. However, you must have
clear refusal policies and procedures in place, and be able to demonstrate why the request meets
these criteria.
You also need to provide some additional information to people making requests, such as your
data retention periods and the right to have inaccurate data corrected. If your organisation
handles a large number of access requests, the impact of the changes could be considerable.
Find out more about the right of access under the GDPR.
The GDPR has new provisions that aim to enhance the protection of children's personal data.
These include:
clear privacy notices for children - where services are offered directly to a child
parent/guardian consent - where online services (eg social networking) are targeted at
children
If your organisation collects personal data of children, you should think about putting systems in
place to verify individuals' ages and to gather parental or guardian consent for the data
processing activity.
You should put in place clear policies and procedures to ensure that you can detect quickly any
data breach, react appropriately and notify in time where required. Find out more about the
breach notification duties.
Under GDPR, you must implement technical and organisational measures to show that you have
considered and integrated data protection into your processing activities. Find out more about the
'privacy by design' approach to data protection.
You must ensure that you have clear policies in place to prove that you meet the required data
protection standards under the GDPR. You can follow best practices for accountability by
establishing a culture of:
As an integral part of this 'privacy by design' strategy, you may need to carry out a privacy
impact assessment. The assessment will help you to identify and reduce the privacy risks of
your projects.
The GDPR requires some organisations to designate a DPO. For example, public authorities or
those organisations that regularly and systematically monitor individuals on a large scale.
You may appoint a single DPO to act for a group of companies, taking into account their
structure and size. An organisation can also designate a DPO on a voluntary basis, however the
same requirements will apply to his or her designation, position and tasks as if the designation
had been mandatory.
The General Data Protection Regulation imposes restrictions on the transfer of personal data
outside the European Union. It does so to ensure that the level of protection of individuals have
under the GDPR is not undermined.
Read more about the transfer of data under the GDPR rules.