In January the U.K. Information Commissioner’s office issued a guide to preparing for the new European Union General Data Protection Regulation (GDPR).
“The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability,” it notes.
These are the highlights”
–Make sure key decision makers know the GDPR will be implemented May 25, 2018 and the impact it will have
–Document what personal information on EU citizens the company collects
–Review current privacy notes and put a plan in place to make any changes to meet the GDPR
–Check company produces to ensure they cover all the rights EU citizens have under the new legislation, including how personal data will be deleted
–Update procedures and plan how the company will handle data access requests
–Look at the various types of data processing you carry out, your legal basis for carrying it out and document it
–Review how the company seeks, obtains and records consent and whether there need to be changes to comply with the GDPR
–Start thinking about putting systems in place to verify individuals’ ages and, if necessary, gather parental or guardian consent for data processing
–Make sure you have the right procedures in place to detect, report and investigate a pesonal data breach
–Prepare a privacy impact assessment
–Designate a data protection officer, if required
You may also find this FAQ from the European Union helpful.