Last week we asked for your feedback on the issues you may have encountered in applying our suggestions about following the 12 Steps, mapping the information you hold, and finding legal bases for processing or tackling your cybersecurity.
You can send us your thoughts and questions on any GDPR topic by emailing email@example.com.
While we are not able to respond to queries individually, we do hope to address the main issues you raise over the coming weeks.
Below are answers to some of the questions we have received so far.
Are the Information Commissioner's Office's 12 Steps out of date?
The Information Commissioner’s Office's advice 12 Steps to Take Now was first published on 14 March 2016. The Information Commissioner’s Office (ICO) argued that it was essential to start planning your approach to GDPR compliance as early as you can and pointed out that you may find compliance difficult if you leave your preparations until the last minute. In other words, the 12 Steps were intended to guide organisations’ GDPR work across a two-year run-in period.
Are they still the right place to start?
Emphatically ‘Yes’. The 12 Steps remain a good place to start. It is not too late to begin the process of discharging your GDPR obligation to ensure that your processing is carried out in accordance with the Regulation and to be able to demonstrate this (the ‘accountability principle’).
Is there a specific way I must go about data mapping?
There are no specific tools or methodologies you need to follow. The GDPR requires you to document your processing activities and records must be kept in writing. The ICO says that information audits or data mapping exercises can feed into your documentation of processing activities.
Data mapping requires you to understand your data flows and usually involves some form of visualization. A number of commercial tools are available to assist with this. The ICO also points out that most organisations will benefit from maintaining records electronically. One reason for this is that they must be kept up to date.
Seeking your views: Data Protection Officers
In particular this week, we would like your views (which can be provided anonymously) on whether or not you will appoint a formal Data Protection Officer under the GDPR. If you are not planning to do so, what alternative arrangements do you intend to put in place?
Email firstname.lastname@example.org to share your thoughts.
Our GDPR pages provide useful information on various elements of GDPR as well as external links which may be of use.
The ICO provides a guide on preparing for GDPR which should be your first stop as you work towards compliance. They have also developed two checklists for data controllers and data processors which may be of use.
We have provided guidance for law firms on when it may be necessary to appoint a data protection officer.
We encourage you to share useful information with your colleagues. Everyone in your firm will have some responsibility for GDPR compliance.
Upcoming GDPR conference
Our GDPR conference, 'Get Data Protection Ready: Down to the wire', will be held at the Law Society on 17 April. You won’t want to miss the chance to hear from experts including representatives from the ICO, the National Cyber Security Centre and other law firms.
Book your place now.