What you need to do
The new accountability principle of the GDPR requires an organisation to show evidence that the organisation is complying with the principles of the regulation. It would be worthwhile documenting all the processes that have taken place to integrate the new regulations with the organisations data collection and processing procedures. An example of how RC Ayr are documenting our compliance and completing the checklist below can be found here.
1: Conduct a Data Audit:
Review your data processing. This is a great first step to identify the other action you will need to take.
A sample review form can be found here
2: Create a Privacy Notice:
Have you drafted a Privacy Notice?
Is it available online for people to access?
Is there a date set to review it?
A sample notice can be found here
We have now produced a draft ‘easy read’ privacy note which can be found here (for use with young/vulnerable people)
3: Do you need to get additional consent?
It’s likely that you will need to get additional consent from people as either consent has been assumed, or the evidence of the consent is no longer available.
A sample consent form can be found here
Please also note that the regulation states that data subjects should have access to the privacy note before consent can take place – it would be advisable to have the privacy note on all consents.
4: Are your procedures up to date?
Data subjects (those people about whom you hold personal data) have the right to see what data is being stored about them, to make corrections where there are errors, or to ask for their data to be deleted. Do you have processes in place to meet such requests?
5: What if you had a breach?
Review your breach management procedures and ensure that you know what to do in the event of a breach. If you don’t have any, you will need to develop them.
This guide is for general purposes only. For legal advice you must contact a qualified legal advisor.