Stages 7 to 12 of GDPR
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
Stage 7 - Consent
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear, given that both forms of consent have to be freely given, specific, informed and unambiguous.
The GDPR is clear that data controllers must be able to demonstrate that consent was given. You should, therefore, review the systems you have for recording consent to ensure you have an effective audit trail.
Stage 8 - Children
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children in the UK, this will probably be defined as anyone under 13, then you will need a parent or guardian’s consent in order to process their personal data lawfully.
Stage 9 - Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board. Not all breaches will have to be notified to the ICO, only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.
Stage 10 Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. We have put a link to this document in the student download area of this course. This guidance shows how PIAs can link to other organisational processes such as risk management and project management.
A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.
Stage 11 - Data Protection Officers
You should designate a Data Protection Officer if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Stage 12 - International
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
Finally for more information please visit the ICO website and we have placed a link in the downloads area of this course.