With all the noise about GDPR and the 25 May 2018 deadline edging closer, we’re still seeing a lot of confusion from businesses about what they actually need to do to comply. There’s an understanding around the risk of reputational and financial exposure, but what does a game plan actually look like? How in-depth an overhaul is required?
When it comes to managing the personal data, each business is responsible for assessing the degree of risk that their activities pose. While there’s no “one size fits all”, there are some practical steps you can take.
- Shift your mind-set
New regulation is a headache but for many businesses, there’s a different way to think about this. There’s actually a competitive advantage that can be built using GDPR. As you fine-tune your response over the next three months, consider how your data strategy could sharpen your current market segmentation, clean out old data as well as improve your operational efficiency. Communicating how you protect your customers’ data boosts customer confidence and loyalty. This mind-set will shift how you manage compliance.
- Allocate responsibility for GDPR and raise awareness internally
Ensure key staff appreciate the impact GDPR will have on day to day activities. You may also need to appoint a data protection officer (DPO) – a person responsible for overseeing data protection strategy and implementation – where core activities involve regular and systematic monitoring of personal data on a large scale such as online behaviour tracking.
- Document data and what you do with it
Review and classify personal data. Know where it came from, what systems it is held on, why you hold it, what you do with it, with whom you share it (internally and externally) and for how long you need to retain it. While we often think about this in terms of customers, don’t forget the wider network of employees, suppliers as well as partners.
This element is an ongoing requirement and needs to keep up with your business as it grows.
- Don’t forget employee data
As an employer, tightening up on how you share data within the organisation is key. This means moving away from relying on consent when processing employee data and focus on other justifications, such as contract performance and legal obligations as well as administrative reasons and workplace efficiency.
Make sure you check and update employment contracts and handbooks, and that your people understand – ideally via training – how to handle data.
- Carry out a data protection impact assessment (DPIA)
A DPIA is critical for high risk data (large scale processing or sensitive personal data). We would recommend an assessment for all data processing together with approval from the relevant data protection authority (the UK DPA is the ICO).
- Review privacy policies and contracts
Review current privacy and cookie policies and make any necessary changes. GDPR requires certain new statements to be included.
You should identify how you are complying with the rules (e.g. obtaining consents), document it and update notices to explain it. Check contracts with anyone processing data on your behalf to ensure they’re GDPR compliant, such as your CRM software provider, any databases you subscribe to and so on.
- Ensure “privacy by design”
GDPR compliance requires you adhere to “privacy by design” and “data protection by default”. This means privacy cannot be an after-thought, rather embedded in the process of designing and marketing your products and services.
You need to have technical and administrative procedures in place to ensure that personal data is only processed for agreed processing purpose(s).
Individuals must be able to make ‘subject access requests’ and receive copies of personal data electronically. These requests must be complied with for free, so you’ll probably see a significant increase in number. You also need to ensure that you can comply with individuals’ rights, including the right to be deleted and the right to data portability.
- Review how you manage consent and the rights of people
The GDPR rules for obtaining consent from individuals are stricter. Where you rely on consents you need to ensure they are requested, obtained, recorded and tracked as required by the GDPR. So, for example, you cannot use “pre-ticked” boxes for marketing or use data for purposes not specified.
- Update procedures relating to the detection and reporting of breaches
In the event of a data breach, you still need to notify data subjects and authorities. Under the new GDPR regulation, you’ll have to record information about it and be ready to share it with the relevant authorities on request.
GDPR is here. There’s no need to overcomplicate it, rather, be proactive about how you manage your data.
By Helen Goldberg, COO, LegalEdge
Article originally published by GDPR:Report on 22nd February 2018.