An initial review of your organisation’s readiness which includes a report that shows how prepared you are for GDPR and provides a prioritised outline of the activities you need to address before 25th May 2018.
What is the GDPR Readiness Review?
Our Readiness Review provides a first step in your GDPR journey by considering how your organisation is positioned for 25th May 2018 and beyond. The review takes into account types of personal data (where it is held, whether it is secure, special types and recipients), existing privacy notices, policies and documentation, existing consents as well as software used, third-party providers engaged and the requirement for a Data Protection Officer etc.
What does the GDPR require?
The GDPR supersedes virtually all current data protection legislation in the EU and is currently being introduced into UK data protection law as the new Data Protection Bill. A major change is that individuals must have control over their personal data. Processing this is unlawful by default, so this review is the first step to prove in advance your processing is lawful. Some new and extended requirements include:
- New rights for data subjects
- Lawful processing of personal data
- Extensive penalties and fines
- Data Protection Officers (DPOs)
- Privacy Impact Assessments
- Mandatory breach notification
- Privacy by Design
- Obligations on processors
Why do a Readiness Review?
You need to understand how GDPR will impact your organisation, including what preparations are necessary to comply with your GDPR obligations.
Your organisation must satisfy the legal requirement to demonstrate that it complies with the GDPR.
Readiness Review outcomes
The Readiness Review provides you with a summary of GDPR as it applies to your organisation (including a view of the proposed UK Data Protection Bill for UK-based companies), a view of your current data and processing based on the interview and a prioritised set of next steps (cross-referenced to GDPR) and a high-level milestone plan. It also provides an indication of the effort and timescales required for each action and how we can support you in achieving these.
The action plan covers areas including:
- Embedding best practice re privacy planning and strategy in your organisation
- Updating your privacy notices on websites, email, cookies, to adhere to GDPR
- Upon whom you process personal data on including special categories like health and children
- Documenting the legal basis for processing personal data
- Processing requests to access, delete, amend or transfer personal data
- Whether you need a statutory Data Protection Officer (DPO) or just a lead privacy professional
- Software you use for email, address books, CRM, payroll etc.
- Where you store and access personal data, e.g. in-house, hosted or Cloud
- Relevance of Brexit.