q
Assessing whether your company now falls within scope of the GDPR, especially if you have no physical
presence in the EU;
q
Reviewing internal processes to meet requirements on individuals’ rights (e.g., how to grant access to
data, who’s in charge, or whether data are in a standard format that can be exported to another
company) and data breach notification requirements (updating or setting up incident response plans);
q
Implementing a records system to address the documentation requirement;
q
Setting up or revising privacy impact assessment checklists and procedures;
q
Ensuring a DPO is appointed as required;
q
Reviewing customer-facing materials to comply with new consent and transparency requirements;
q
Reviewing and amending agreements with processors; and
q
Raising in-house awareness, through training so all stakeholders understand the upcoming requirements
and risks.
See also the 12 steps checklist of March 2016 published by the UK ICO, which outlines steps that organizations
can take now to prepare for the GDPR.
For a more detailed analysis of the GDPR and what it entails for businesses, see our client alert.
1
The package also comprises a Directive on the processing of crime-related data by competent authorities, which
received less attention than the GDPR and is not as directly relevant to companies.
© 2016 Morrison & Foerster LLP | mofo.com
.