May 23, 2018

GDPR – 10 things to do before 25th May 2018

Here are 10 things companies should be doing before the 25th May in order to be GDPR compliant, we have found this to be a useful checklist based on a webinar we took part in.

1. Understand your data.

  • Carry out an audit
  • Lawful basis for processing the data
  • How are you processing your data?
  • What third-parties are processing your data?

2. Put a plan of action in place.

  • Can you continue to process this data?
  • Who will you appoint as Data Protection Officer?
  • What about security (encryption) of your data?
  • What about retention of your data.

3. Put a Data Protection Policy in place.

  • Data security policy
  • IT Security policy
  • Marketing compliance policy
  • Dealing with breaches policy
  • Dealing with subject access policy
  • Document your process

4. Sort out and/or update your privacy policy.

  • Meeting the requirements of the right to be informed.
  • Add it to your website
  • What happens when people fill out online/webshop/email/in shop forms

5. Deal with third-party processors

  • Are they GDPR compliant
  • Data processing agreements
  • Are you the third-party processor?

6. GDPR electronic marketing

  • Don’t forget Privacy and Electronic Communications Regulations
  • Do you have the rights?
  • Do you need to seek content?
  • What third-party data are you using?
  • Update consents and data capture.
  • Soft opt-in. A legitimate reason to recontact them. Do they expect to hear from you?

7. Update your cookies permissions

  • Need GDPR consent to use cookies
  • Make sure you have a cookie policy

8. Deal with obligations

  • Subject access right
  • Right to erasure
  • Right to portability
  • Dealing with breaches
  • Carry out a Data Protection Impact Assessment

9. Train your staff

  • Data Protection
  • Policy
  • Consequences

10. Ongoing compliance

  • 25th May is just the start
  • Data Protection Act 2018
  • Brexit
  • Guidance
  • ICO Registration – do you need to register?
Blog, Box PR thoughts, GDPR, Marketing