Here are 10 things companies should be doing before the 25th May in order to be GDPR compliant, we have found this to be a useful checklist based on a webinar we took part in.
1. Understand your data.
- Carry out an audit
- Lawful basis for processing the data
- How are you processing your data?
- What third-parties are processing your data?
2. Put a plan of action in place.
- Can you continue to process this data?
- Who will you appoint as Data Protection Officer?
- What about security (encryption) of your data?
- What about retention of your data.
3. Put a Data Protection Policy in place.
- Data security policy
- IT Security policy
- Marketing compliance policy
- Dealing with breaches policy
- Dealing with subject access policy
- Document your process
4. Sort out and/or update your privacy policy.
- Meeting the requirements of the right to be informed.
- Add it to your website
- What happens when people fill out online/webshop/email/in shop forms
5. Deal with third-party processors
- Are they GDPR compliant
- Data processing agreements
- Are you the third-party processor?
6. GDPR electronic marketing
- Don’t forget Privacy and Electronic Communications Regulations
- Do you have the rights?
- Do you need to seek content?
- What third-party data are you using?
- Update consents and data capture.
- Soft opt-in. A legitimate reason to recontact them. Do they expect to hear from you?
7. Update your cookies permissions
- Need GDPR consent to use cookies
- Make sure you have a cookie policy
8. Deal with obligations
- Subject access right
- Right to erasure
- Right to portability
- Dealing with breaches
- Carry out a Data Protection Impact Assessment
9. Train your staff
- Data Protection
- Policy
- Consequences
10. Ongoing compliance
- 25th May is just the start
- Data Protection Act 2018
- Brexit
- Guidance
- ICO Registration – do you need to register?