GDPR: Sweet Dreams? Or A Nightmare on Overwhelmed Street?
Only 30 more sleeps to GDPR Day…
Unless you’re an insomniac, there are only 30 more sleeps until GDPR Day.
That’s right, after what seems like an eternity of build-up, this hugely anticipated/dreaded day for many will finally arrive on Friday 25th May 2018.
So, how will you fare?
Can you rest easy at night, sleeping soundly in the knowledge that you’re all sorted? Or will you be tossing and turning furiously, haunted by the spectre of ICO and all the GDPR stuff that you’ve conveniently put off?
If you’re the former, then bravo!
And, if you’re the latter, that’s kind of okay too; provided, of course, that one of those nightmares causes you to knock over the mug on your bedside table and awakens you to the smell of (now spilt) coffee.
Because the good news is that it’s not too late to get started with GDPR…
You’ve still got time to get ready for GDPR but act now!
Yes, even though time is running out and the reality is that you’re at GDPR DEFCON 1, there is still time to get the most important things right.
And yes, we’re still here to help you which is why we’ve drawn up your 30-Day GDPR Countdown Plan... It’s a bit like an Advent calendar without the chocolates and any association whatsoever to Christmas, but you get the gist.
Your 30-Day GDPR Countdown Plan
Ready? Here you go:
T minus 30 days…
Accept the fact you’re a little behind with your prep and that GDPR isn’t going to go away. And nor will its fines for non-compliance.
From now on, commit to taking GDPR seriously.
And start being proactive by acting on the guidance available here (and for a refresher course, by checking out our previous GDPR blogs).
T minus 29 to 21 days… Map your data
Now that you’re all enthused and have become an overnight GDPR Specialist, a good place to start is mapping all the data you hold – in other words, identify what information your business collects and why.
As per the ICO’s recommendations:
You should document what personal data you hold, where it came from and who you share it with.
Doing this will also help you comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles; for example, by having effective policies and procedures in place.
You may also need to organise an information audit across your organisation or within particular business areas, as the GDPR requires you to maintain records of your processing activities.
That way, if you have inaccurate personal data that you’ve shared with another organisation, it allows you to inform them so they can correct their own records.
T minus 20 to 11 days… Work out your lawful basis for processing personal data
You should identify and understand the lawful basis that supports your reason(s) for processing people’s personal data, and then document it (again to help you comply with the GDPR’s accountability requirements).
You’ll also need to update your privacy notice (see next section) to explain what basis you’re using, and for when you receive a Subject Access Request.
T minus 10 to 2 days… Provide a transparent and easy-to-read Privacy Notice
You should review your current privacy notice(s) and have a plan in place to update it to comply with GDPR.
If you collect personal data, your privacy notice should display certain information, such as your identity and letting people know how you intend to use their details.
It should also explain your lawful basis for processing their data, your data retention periods and inform individuals of their right to complain to the ICO if they believe there’s an issue with how you’re handling their data.
Just as importantly, the GDPR requires the information to be provided in concise, easy to understand and clear language.
T minus 1 day…
You’re nearly there – have a break and take stock.
If you’ve followed our 30-Day Plan you should now be a lot more prepared for GDPR Day than you were previously.
And, now that you’re on a roll, why not keep the momentum going and make a list of any other GDPR things you need to do from here – check out additional advice from the ICO.
GDPR-Day: Time to crack open the bubbly!
Well done. You’ve made it. Sit back, relax and congratulate yourself on how far you’ve come.
And if you’re completely sorted (and not received any Subject Access Requests yet), swap your bedside tipple for something fizzy and start thinking about other things. Like summer holidays. Or Bank Holidays.
And speaking of Bank Holidays, did we mention it’s only another 243 days ‘til Xmas…? Oops. Cheers anyway! ?
Until next time...