Many of the GDPR’s main concepts and principles are much the same asthose in the current Data Protection Act (DPA), so if you are complyingproperly with the current law then most of your approach to compliancewill remain valid under the GDPR and can be the starting point to buildfrom. However, there are new elements and significant enhancements, soyou will have to do some things for the first time and some thingsdifferently.
It is important to use this checklist and other Information Commissioner’s
Office (ICO) resources to work out the main differences between the
current law and the GDPR. The ICO is producing new guidance and other
tools to assist you, as well as contributing to guidance that the Article 29
Working Party is producing at the European level. These are all available
via the ICO’s Overview of the General Data Protection Regulation. The
ICO is also working closely with trade associations and bodies
representing the various sectors – you should also work closely with these
bodies to share knowledge about implementation in your sector.
It is essential to plan your approach to GDPR compliance now and
to gain ‘buy in’ from key people in your organisation. You may need, for example,
to put new procedures in place to deal with the GDPR’s new transparency
and individuals’ rights provisions. In a large or complex business this
could have significant budgetary, IT, personnel, governance and
communications implications.
The GDPR places greater emphasis on the documentation that data
controllers must keep to demonstrate their accountability. Compliance
with all the areas listed in this document will require organisations to
review their approach to governance and how they manage data
protection as a corporate issue. One aspect of this might be to review the
contracts and other arrangements you have in place when sharing data
with other organisations...