With less than one month to go until the GDPR comes into force (25/05/18) and as a business owner the acronym GDPR means nothing to you, then you need to not only get up to speed on the new rules, but more importantly ensure that you meet these new requirements in the operating procedures of your company.
GDPR stands for the General Data Protection Regulations, and it is designed to enhance individuals rights to data privacy. This means that businesses who are responsible for holding personal data will need to have processes and technologies in place that can deal with data requests from subjects
GDPR builds on the UK’s existing 1998 Data Protection Act, reflecting a world of data and technology has moved on immeasurably since the Act came into force in 2000. Companies now handle extraordinary amounts of personal information. Cyber breaches are being regularly reported in the press and prominent in the public eye following the aftermath of the Facebook cyber breach by Cambridge Analytica. When we add this to the high profile data leaks at firms Mossack Fonseca and Appelby and frightening cyber attacks at Experian and TalkTalk, it is understandable that European regulators might feel vindicated in beginning an expansion.
There are lots of companies out there at the moment going over the ins and outs of legislation which is useful, but often it does not help you get compliant on a practical level.
If you haven’t yet done anything about GDPR’s implementation, your first step will be to know exactly what personal data the company holds (and where it’s held), along with where it has come from and how you process it. Individuals will be enfranchised with 8 new data rights, including the ‘right to be forgotten’. You’ll, therefore, need to ensure that data is stored in easily accessible places, and know who in your organisation has access to any personal information.
Here are some tips to practice GDPR Compliance:
Tick the ICO’s boxes (as a bare minimum!)
The Information Commissioner’s Office (ICO) will also be keen to find out how exactly you are complying with the new GDPR, so it’s important you can demonstrate processes that you have for:
- obtaining consent,
- subject access requests
- data-protection impact assessments
- deleting client data
- reporting data breaches within 72 hours.
Empathise with your customers and employees data rights.
In all cases, the ICO’s prescribed processes will need to reflect the fact that individuals now have enhanced rights as individuals. Make it easier for yourself.
Achieving compliance through empathy is super effective at obtaining and maintaining compliance easily. Whether you are a managing director, compliance officer or manager, you are also an individual and you have your own feelings and desire to control how you are presented digitally and what information is held about you.
Put your customers at the heart of this exercise. The opportunity to build a stronger layer of trust can leverage a transformation in company culture and turbocharged quality in the services you provide.
Create a role for data protection (Official or not)
Every public authority and company that carries out large-scale individual monitoring (such as online behaviour tracking) will need to have a Data Protection Officer in place, while every other company will need to ensure that a senior staff member holds responsibility for compliance with data protection.
Opening a new role for GDPR compliance is important in ensuring your new compliance systems are working. Hire or appoint the role to someone who grasps the innermost understanding of how your business works and has the ability to work across all your departments and with all your stakeholders.
Don’t get caught out.
It’ll be important to ensure that you don’t get caught out by GDPR. For example, when you are collecting customer’s email addresses you will need their consent if you want to use these for marketing purposes (which they must be able to later opt out of) and you will also need to explain to your customers how exactly you plan to use their data. No longer can any company have a ‘pre-ticked’ opt-in box on your website, or use e-mail to promote products or services beyond the reason for which the customer initially gave their data without their consent.
The other big priority you will need to do over the next month is contact all of your clients to confirm they are aware of GDPR and what you are doing to update your procedures. As well as the above, this will also need to include updates to your privacy notices to show the data you collect and how you plan to use it. You will need to show how you have considered who has access to data (and why), demonstrate that all data is secure and regularly backed up. One suggestion under GDPR is to think about encrypting all electronic devices!
Getting your company up to speed on GDPR isn’t a choice – it will very soon be against the law for companies to not offer greater personal privacy around data. Failure to comply could lead to fines of up to 4% of total annual turnover or €20 million, whichever is greater, so not having the right data protection policies in could be very costly.