1. Fair processing
|
The Regulation creates a shift in approach to the way controllers currently determine what amounts to "fair and lawful" processing of personal data. The individual has much greater say in determining how their data may be lawfully used, with active rights to change consent based processing and rights to object to processing based on "implied" rights (ie legitimate interests).
|
- Be clear about the basis on which data are currently justified for use based on points of collection from individuals
- Where use is based on consent, or "legitimate interests", look at adopting a more dynamic preference model for future use
|
2. Privacy notices
|
Privacy policies need to include mandatory information about the way in which data are processed and the statutory rights available to individuals. The wording must be clearly comprehensible to the target audience.
|
- Check format and content of current privacy notices
- Notices will almost certainly require amendment to include additional information and a refresh to be in plain language
|
3. Information governance
|
Data controllers must establish a compliance framework which demonstrates to a regulator that the organisation is taking active measures to ensure responsibility for effective data protection, including documentation and regular audit processes.
|
- Establish an information governance model within the organization supported by clear reporting lines at all levels
- Review and refresh internal policies and procedures to ensure fit for purpose
- Establish effective privacy audit and review processes
|
4. Privacy impact assessments
|
Privacy impact assessments should be carried out as a matter of routine for projects which might be exposing individuals to enhanced privacy risks to due to the nature or scope of the processing operation.
|
- Develop a standard privacy impact assessment process
- Embed into all new projects
|
5. Data protection officer
|
Certain types of organisations must appoint a data protection officer.
|
- Check if the organisation is likely to be required to appoint a data protection officer. If so take steps to appoint a suitable individual.
|
6. Data breach
|
Where a data breach occurs, the controller must (in some cases) notify local regulators and the relevant data subjects affected by the breach.
|
- Establish a data breach management process to identify, escalate and manage data breaches effectively
|
7. One-stop-shop
|
If a controller has multiple points of presence across the EU, it may take advantage of the "one stop shop" -mechanism to appoint a supervisory authority in the country of the main establishment of a controller as a single supervisory body across all EU operations. The one-stop-shop principle applies to processors as well.
|
- Consider if this mechanism would be relevant to EU operations
- If so, consider which country would be best suited to be the main point of establishment and take steps to organise the business accordingly
|
8. Sharing data outside the organisation or outside Europe
|
The rules on transferring data to other organisations, for example in the context of a commercial joint venture, outsourced service model, or offshore are stringent and require the controller to take full responsibility for proper and secure handling supported by effective due diligence and contractual measures.
|
- Establish clear ground rules for managing data handling throughout the supply chain
- Underpin with standard due diligence checklists and data sharing / processor agreements incorporating EU model clauses as appropriate
|