Personnel – Have you got management/director support for the changes and identified who will be responsible for data protection going forwards? How will you educate staff?
Audit – Do you know what data you hold, where it comes from and understand how it is processed? What is your legal basis for processing?
Consent/opt-in – Does your process for obtaining consent from a data subject (e.g. customer/employee/candidate) need updating and does this mean you will need to re-obtain consent for the data you already hold? Do you provide all the required information at that time? What about personal data obtained from a third party?
Compliance processes – What changes do you need to make to your internal compliance processes and training? Do you have response plans for dealing with data breaches, subject access requests and requests from an individual who wants to be forgotten or objects to processing? How will you keep an up to date record of your compliance procedures as well as your data protection decisions and responses?
Documentation and contracts – Much of your customer facing documentation and internal policies and contracts with third parties will be impacted.
Knowledge base – These questions only address some impacts of GDPR on you; have you done your research and do you understand your business? Have you got specialist legal advice in place?
This bulletin contains general overview information only. It does not constitute, and should not be relied upon, as legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.