What do I need to do about it?
There's information on the ICO website that will help you to prepare for the change in legislation but they've also produced a paper suggesting that all organisations follow 12 steps to be ready for the new regulation.
- Awareness: key people in your business need to be aware of the new law.
- Information you hold: you'll need to clearly document your use of personal data.
- Communication: you'll need to update privacy notices on your contractual documents to take account of the GDPR.
- Individual rights: you'll need to ensure that your procedures cover all individuals' rights.
- Subject Access Requests: as individuals have the right to see the information you hold on them, you'll need to ensure you have a GDPR compliant way of retrieving and sharing the information for free.
- Legal basis: you'll need to ensure you document the legal basis on which you're processing the data.
- Consent: you'll need your customers to be very clear why they're giving you the information. This has to be by way of positive opt-in.
- Children: the GDPR is very specific about the treatment of children's data (anyone under the age of 13 in their world) so if your business deals with this data make sure you follow this closely.
- Data breaches: you need to have clear procedures for detecting, reporting and investigating breaches to help you avoid the fines outlined above.
- Data protection by design: if you introduce a new product or service think about how it'll impact on individuals' data and get it right from the start!
- Data Protection Officer: every business needs a designated officer. If you're a sole trader, it's you.
- International: if your business exports data (and if you're exporting a product or service, you likely will be) you'll need to make sure your processes and procedures cover this.