Ten steps
If you were starting from scratch and introducing GDPR into your firm for the first time, these ten steps will help you to create an implementation plan.
| 1 | Register with the Information Commissioner’s Office (ICO) | Your firm is a data controller and must be registered with the ICO. From 25 May 2018, data controllers will require to pay a data protection fee at a level appropriate to their size and turnover. |
| 2 | Audit your data processing | Map out how you process personal data on behalf of your clients from the moment it comes into your office through to storage and file destruction. Don’t forget to map the processing of the personal data of your staff. In the guide, we show what a data audit of a high street firm might look like. You are required to keep a record of certain data processing activities and this audit will provide you with the information that needs to be recorded and which is required to meet other data protection compliance obligations. |
| 3 | Identify all the third parties you share data with | You must have a GDPR compliant contract in place with data processors (services providers who deal with personal data on your behalf) and appropriate arrangements in place with other controllers. You may wish to consider having arrangements with other organisations that you share personal data with particularly in relation to confidentiality, security and retention. |
| 4 | Create a data retention policy | You can only store data for as long as it is necessary for the purpose for which it was processed. |
| 5 | Have a written data protection policy | Your data protection policy sets out your approach to data protection and privacy. |
| 6 | Create privacy notices setting out how you process personal data at least for clients, staff and visitors to your website | There is an obligation to provide anyone whose personal data you process with information about how you handle their data and which sets out their rights and how to exercise them. |
| 7 | Have a written process for dealing with data subject requests, including subject access requests | You should have a policy detailing how you will deal with requests from clients, employees/ex-employees and others regarding the information that you hold about them. Individuals also have the right to ask for their personal data to be erased in certain circumstances. This can be included in your data protection policy |
| 8 | Have a process and written guidance for what to do in the event of a personal data breach | Have in place written process to set out what to do in the event of a breach, which provides guidance on how to identify whether it requires to be reported and who is responsible for reporting to the ICO/data subject. Ensure that all staff can identify a personal data breach, and are aware of who to report it to. |
| 9 | Review your approach to marketing to ensure it is compliant | Digital marketing is regulated by the Privacy and Electronic Communications Regulations, which mandate that consent is generally required for marketing to individuals and sole traders, but not necessarily business contacts. You may be able to use the soft opt-in for clients. |
| 10 | Train your staff | It is crucial that everyone in your firm who handles client data understands and adheres to your policies for handling personal data. Arrange training to ensure that they are up to speed. |