The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

The clock is ticking fast regarding compliance with the General Data Protection Regulation (GDPR), which will be fully enforced from 25 May 2018, with severe penalties for non-compliance.

The GDPR represents a significant compliance burden for almost all Irish businesses, as even small businesses hold important personal information. If you have not already started your review of the impact of the GDPR on your business and begun to adapt, time is fast running out.

In preparation for GPDR 2018 The Data Protection Commissioner has listed the following twelve steps to put into action to ensure your business is in compliance.

1.Becoming Aware

Review and enhance your organisation’s risk management processes – identify problem areas now.

2. Becoming Accountable

Make an inventory of all personal data you hold. Why do you hold it? Do you still need it? Is it safe?

3.Communicating with Staff and Service Users

Review all your data privacy notices and make sure you keep service users fully informed about how you use their data.

4.Personal Privacy Rights
Ensure your procedures cover all the rights individuals are entitled to, including deletion and data portability.

5.How will Access Requests change?
Plan how you will handle requests within the new timescales – requests must be dealt with within one month.

6.What we mean when we talk about a ‘Legal Basis’
Are you relying on consent, legitimate interests or a legal enactment to collect and process the data? Do you meet the standards of the GDPR?

7. Using Customer Consent as grounds to process data
Review how you seek, obtain and record consent, and whether you need to make any changes to be GDPR ready.

8. Processing Children’s Data
Do you have adequate systems in place to verify individual ages and gather consent from guardians?

9. Reporting Data Breaches
Are you ready for mandatory breach reporting? Make sure you have the procedures in place to detect, report and investigate a data breach.

10. Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default Data privacy needs to be at the heart of all future projects.

11.Data Protection Officers
Will you be required to designate a DPO? Make sure that it’s someone who has the knowledge, support and authority to do the job effectively.

12. International Organisations and the GDPR
The GDPR includes a ‘one-stop-shop’ provision which will assist those data controllers whose companies operate in many member states. Identify where your Main Establishment is located in the EU in order to identify your Lead Supervisory Authority.

Download the full document here