GDPR[1] introduces new privacy rights for individuals whose personal data you hold. Each business is responsible for assessing the degree of risk that their activities pose. And unfortunately there is no “one size fits all”, but here are some practical tips.
It comes into effect on 25 May 2018. If you do not comply you can be fined up to €20 million or 4% of turnover (whichever is higher). And authorities are serious about their commitment to do so. In the UK the Information Commissioner’s Office (ICO) has hired 200 additional staff to monitor organizations.
So it is vital that you begin developing a game plan. If not the risk of reputational and financial exposure is high. Please get in touch if you’d like help. Here is our 7 Step Plan to get you GDPR ready.
1. Allocate responsibility for GDPR and raise awareness internally
Ensure key staff appreciate the impact GDPR will have on day to day activities. You may also be required to appoint a data protection officer (DPO) – a person responsible for overseeing data protection strategy and implementation – where core activities involve regular and systematic monitoring of personal data on a large scale, e.g. online behaviour tracking.
2. Document the personal data you hold and what you do with it
Review what personal data you hold, where it came from, what systems it is held on, why you hold it, what you do with it, and with whom you share it. While we often think about this in terms of customers, don’t forget employees, suppliers, partners, etc.
This is an ongoing requirement so needs to keep up with your business as it changes – it can’t be a one-off. Using the right tool can help, like effacts.com, where you can register and report on your data processes.
3. Carry out a data protection impact assessment (DPIA)
You must conduct a DPIA when there is high risk involved in relation to the personal data you collect/ process (e.g. you carry out large scale processing or collect sensitive personal data). But it is recommended that an assessment is performed for all data processing, regardless of risk level.
An assessment should look at how processes affect or might compromise the privacy of the individuals whose data you hold. If risks cannot be mitigated, you may need to consult with the relevant data protection authority (DPA – in the UK this is the ICO) before processing data.
4. Review privacy policies and contracts
Review your current privacy and cookie policies and put a plan in place for making any necessary changes. GDPR requires certain new statements to be included.
You should identify how you are complying with the rules (e.g. obtaining consents), document it and update notices to explain it. You also need to examine contracts with anyone processing data on your behalf (and if you’re doing it on behalf of others) to ensure they meet the GDPR requirements – this includes Google, your CRM software provider and others. If not contracts will need to be changed.
5. Review technical and administrative procedures to ensure “privacy by design”
To comply with GDPR, you should be aware of the requirements for “privacy by design” and “data protection by default”. What this means is that privacy cannot be an after-thought, it needs to be embedded in the process of designing and marketing your products and services.
You need to have technical and administrative procedures in place to ensure that personal data is only processed for agreed processing purpose(s).
Individuals must be able to make ‘subject access requests’ and receive copies of personal data electronically, and these requests must be complied with for free, so there is likely to be a significant increase in number. You also need to ensure that you can comply with individuals’ rights, including the right to be deleted and the right to data portability.
6. Review how you manage consent and the rights of people
The GDPR rules for obtaining consent from individuals are stricter. Where you rely on consents you need to ensure they are requested, obtained, recorded and tracked as required by the GDPR. So, for example, you cannot use “pre-ticked” boxes for marketing or use data for purposes not specified.
7. Update procedures relating to the detection and reporting of breaches
In the event of a data breach, you will still need to notify data subjects and authorities. But, what is new under GDPR is that you are also required to record information about it and be ready to share it with the relevant authorities on request.
For more information go to the ICO’s website
And if you‘re not sure how to manage the personal data you hold, consider using a platform like effacts.com. Their data privacy tool can track, manage and report on data processes and breaches. You can also use it to manage and report on corporate entities and housekeeping, contracts, compliance, claims, etc. It is a cloud-based solution enabling companies to manage their legal matters. For more information on how ‘Managing legal with the right tech’ could benefit your business check out this case study.
[1] The General Data Protection Regulation