Improve practice

The GDPR may mean “end to end reform of business processes and practices” (Stewart Room PWC Legal)

Accountability, upholding rights and demonstrable compliance are key.  All staff should be involved in tightening up and implementing procedures.

Management engagement

• Recognition of potential risk to business
• Recognition of impact on business processes
• Promotion and encouragement of compliance culture
• Encourage the input of staff
• Enable regular staff training/updating
• Consider appointment of an experienced data protection officer
• Monitor, test, review and improve practices and reporting mechanisms

Non-IT engagement

• Improve the information provided to clients/staff
  • Must be concise, transparent, intelligible and easily accessible, using clear and plain language
• Create records of processing activities
• Establish internal governance processes
• Ensure consent is clear and for explicit purposes
• Check the new rules around children’s data are met, where relevant
• Identify any need for impact assessments
• Consider transfers to third countries

IT engagement

• Identify any automated decision-making or profiling
• Review customer facing processes for compatibility with the new rules on portability, access and restrictions on processing
• Build privacy by default into applications and processes
• Enable the identification and reporting of data breaches