Preparing for GDPR: UK ICO Launches SMB Phone Service
The UK Information Commissioner’s Office (ICO) now provides a phone service to help small and medium-sized businesses (SMBs) prepare for the European Union (EU) General Data Protection Regulation (GDPR).
With the phone service, callers can receive advice about GDPR preparation and insights into current data protection rules and other legislation regulated by ICO, according to a prepared statement.
In addition, ICO has revised its data protection self-assessment kit to help businesses identify gaps in their GDPR preparation. ICO also plans to release a guide to GDPR by the end of the year.
ICO Offers a 12-Step Process to Help Businesses Prep for GDPR
ICO provides the following 12-step process to help businesses get ready for GDPR:
1. Ensure key decision-makers know about GDPR.
2. Document all personal data that is stored, where this information came from and if the information is shared. By doing so, a business can prepare an information audit.
3. Review current data privacy notices and make any necessary changes.
4. Ensure data security procedures cover individuals’ rights and define how to delete personal data or provide data electronically and in a commonly used format.
5. Update data access procedures and determine how to handle requests within time frames defined by GDPR.
6. Identify the lawful basis for data processing activity, document it and update a privacy notice to explain it.
7. Review how data processing consent is sought, recorded and managed and determine whether changes are needed.
8. Consider whether systems need to be put in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Ensure the right procedures are in place to detect, report and investigate a personal data breach.
10. Review the ICO’s code of practice on privacy impact assessments and guidance from the Article 29 Working Party and implement them into an organization’s data processing protocols and systems.
11. Designate someone to take responsibility for data protection compliance and determine where this role will sit within an organization’s structure.
12. Determine who will serve as the lead data protection supervisory authority; this is a requirement for organizations that operate in more than one EU member state.
GDPR takes effect in May 2018 and replaces the Data Protection Directive 95/46/EC. It is designed to streamline data privacy laws across Europe and protect EU citizens’ personal data privacy.